Iubenda logo
Start generating


Table of Contents

PECR: Everything you need to know

In this article, we’ll take you through everything you need to know about the UK’s PECR (Privacy and Electronic Communications Regulations).

What does PECR stand for?

PECR stands for Privacy and Electronic Communications Regulations. They are part of the regulatory framework in the United Kingdom and are intended to complement the broader data protection legislation, such as the Data Protection Act and the UK GDPR. It governs the use of cookies and similar technologies, as well as electronic communications like marketing calls or emails.

What is the PECR?

The Privacy and Electronic Communications Regulations (PECR) is a set of regulations in the UK that gives individuals specific privacy rights in relation to electronic marketing communications. The regulation governs the use of cookies and similar technologies, unsolicited electronic communications (such as spam), and the processing of personal data in the context of electronic communications services. 

The regulation is implemented by the Information Commissioner’s Office (ICO) and is designed to complement the data protection principles set out in the General Data Protection Regulation (GDPR).

What is the difference between PECR and GDPR?

PECR (Privacy and Electronic Communications Regulations) is a UK specific regulation that covers electronic marketing communications and the use of cookies. On the other hand, GDPR (General Data Protection Regulation) is a regulation from the European Union that governs the protection and privacy of personal data for all individuals within the EU. The GDPR sets a higher standard for data protection and privacy, and applies to all organizations operating within the EU, while the PECR applies only to organizations operating in the UK.

PECR complements the GDPR by providing additional protections for specific processing activities that are particularly relevant to electronic communications services, such as the use of cookies and similar technologies, direct marketing, and the privacy of communications.

Overall, PECR and GDPR work together to provide a comprehensive framework for the protection of personal data in the UK, with PECR regulations filling in any gaps and providing additional protections where necessary in the context of electronic communications services.

How does PECR fit with the UK GDPR? The PECR and the GDPR both regulate the processing of personal data in the UK. However, while the GDPR provides a general framework for the protection of personal data, PECR specifically addresses the processing of personal data in the context of electronic communications services.

👉 See here for more on the UK’s GDPR.

Does PECR still apply in the UK?

Yes, PECR still applies in the UK at the time of this writing. They were first created in 2003, and they have been amended a number of times. The more recent changes were made in 2018 and then in 2019 regarding cold-calling requirements. The latest version of the PECR came into effect on 29 March 2019.

Currently, PECR regulations continue to apply alongside the UK GDPR, and the ICO (Information Commissioner’s Office) will keep their guidance under review and update it where necessary, following the European ePrivacy regulation.

What is the Pecr and ePrivacy Regulation?

The PECR and the ePrivacy Regulation are closely related legislative frameworks, both focusing on privacy in electronic communications (i.e. marketing, cookies). The PECR is a national law in the UK, derived from a European legislation called the ePrivacy Directive 2002, which each EU member state has transposed into its national law.

The ePrivacy Regulation, on the other hand, is a proposed piece of legislation intended to replace the ePrivacy Directive. It aims to harmonize the privacy rules across the EU and ensure consistency with the GDPR. The ePrivacy Regulation, like the GDPR, is designed to be a regulation instead of a directive, meaning it would be directly applicable in all EU member states without needing transposition into national law.

In short, PECR regulations are the UK’s implementation of the EU’s ePrivacy Directive, and the ePrivacy Regulation is intended to replace this directive.

💡 The ePrivacy Regulation will not automatically form part of UK law – or sit alongside the UK GDPR – as the UK has left the EU.

What areas are covered?

PECR regulations cover the following 5 areas related to electronic communications:

  1. Cookies and similar technologies – It requires websites to obtain informed consent from users before placing cookies or similar technologies on their devices.
  2. Marketing communications – It sets out specific rules for sending electronic marketing communications, including telemarketing calls, faxes, emails, and text messages.
  3. Location data – It regulates the use of location data, including GPS and Wi-Fi positioning data, collected through electronic communications services.
  4. Traffic and device data – It requires that traffic and device data collected in the course of providing electronic communications services is processed in accordance with data protection principles.
  5. Privacy of communications – It provides specific protections for the privacy of electronic communications, such as email and instant messaging, by requiring that such communications are intercepted only in accordance with the law.

🔎 For further information on this, see the ICO website →

Do the Privacy and Electronic Communications Regulations apply to me?

PECR applies to businesses, organizations, and individuals that process personal data in the context of electronic communications services, including but not limited to:

  • Websites and online services that use cookies or similar technologies.
  • Marketing companies that send electronic marketing communications, such as telemarketing calls, faxes, emails, and text messages.
  • Companies that offer location-based services, such as GPS and Wi-Fi positioning services.
  • Providers of electronic communications services, such as internet service providers and mobile network operators.
  • Businesses that use electronic communication systems, such as email and instant messaging, to process personal data.

👉 If you operate in any of these areas, or process personal data in the context of electronic communications services, it is likely that the PECR applies to you.

Are you a non-UK company that operates in the UK? Or offer electronic communications services to individuals in the UK? If you answered YES to either of these questions — You must comply with PECR in relation to the processing of personal data in the context of those services. Similarly, if a UK-based company offers electronic communications services to individuals outside the UK, you must still comply with the PECR regulations even if your target users are located outside the UK.


Consequences of non-compliance

The ICO has a range of enforcement powers to ensure that businesses and organizations comply with PECR, including:

  1. Monetary penalties: The ICO can impose monetary penalties of up to £500,000 for serious breaches, such as sending unsolicited direct marketing communications or failing to obtain consent for the use of cookies.
  2. Enforcement notices: The ICO can issue enforcement notices requiring businesses and organizations to take specific actions to comply, such as obtaining consent for the use of cookies or ceasing to send unsolicited direct marketing communications.
  3. Prosecution: In severe cases, the ICO can bring criminal proceedings against businesses and organizations for breaches, such as sending unsolicited direct marketing communications.
  4. Audits and investigations: The ICO can carry out audits and investigations to assess your compliance, and can use this information to take enforcement action where necessary.

The ICO takes a risk-based approach to enforcement, and will generally focus its efforts on the areas of highest risk to privacy and where there is evidence of significant harm to individuals.

👉 ICO published a quarterly update on the action they have taken to enforce PECR.

How to comply with PECR?

What you need How to do it
Obtain valid consent (with a cookie banner!) 👉 Get set up with a fully customizable banner 
Have a clear privacy and cookie policy about your data processing practices 👉 Generate your privacy and cookie policy
Respect individuals’ rights to opt-out of direct marketing 👉 See our step-by-step breakdown

*Please note: Organizations must also appoint a Data Protection Officer and implement appropriate technical and organizational measures to secure personal data processed for electronic communications. They may also need to carry out regular privacy impact assessments (PIAs) and keep detailed records of their data processing activities.