PECR sets the UK rules for electronic marketing, cookies, and communications privacy. It works alongside the UK GDPR and is especially relevant for organisations sending marketing emails, using website tracking technologies, or relying on consent.
The Privacy and Electronic Communications Regulations (PECR) is the UK law that regulates electronic marketing, cookies, and communications privacy. It works alongside the UK GDPR and sets specific rules for sending marketing emails, texts, and using tracking technologies on websites. Organisations must follow PECR when contacting individuals for marketing purposes or when storing information on users’ devices.
Main focus
Electronic marketing, cookies, and communications privacy
Works with
UK GDPR and rules on consent and transparency
Usually relevant when
Sending marketing emails or using cookies and online tracking
The Privacy and Electronic Communications Regulations (PECR) sits alongside the UK GDPR, but it regulates more specific types of electronic activity. In practice, PECR is most relevant when organisations send marketing by email or text, place cookies or similar technologies on a user’s device, or carry out certain kinds of communications activity. PECR often answers whether a type of marketing or tracking activity is allowed, while the UK GDPR governs how any related personal data must be processed lawfully and transparently.
PECR sets rules for marketing by email, text, and some phone calls. This is one of the areas where questions about consent arise most often.
The rules also protect the privacy of communications and create obligations in certain telecoms-related situations, even though these parts are less central for many businesses.
For most organisations, the practical focus is usually marketing activity, website cookies, and the point where PECR and the UK GDPR must be considered together.
In practice, PECR applies whenever organisations use electronic communications or technologies that interact directly with a user’s device. The rules most commonly arise in four situations that many organisations encounter during normal marketing or website activity.
PECR applies when organisations send marketing by email or text message. These rules often depend on whether valid consent has been obtained, although limited exceptions exist for existing customers.
Many websites use analytics platforms, advertising trackers, or behavioural tools. These technologies may trigger PECR rules because they access information on a user’s device.
Certain telephone marketing practices and communications services are also regulated by PECR, particularly where individuals are contacted directly for marketing purposes.
One of the most common points of confusion is whether organisations need to think about PECR, the UK GDPR, or both. In reality, many activities trigger both sets of rules at the same time. PECR often deals with whether a communication or tracking activity is allowed in the first place, while the UK GDPR governs how any related personal data must be handled.
PECR is usually the starting point when asking whether an organisation can send a marketing email, place a cookie, or use a tracking technology. It focuses on communications privacy and the rules around certain electronic marketing and device-based technologies.
Where personal data is involved, the UK GDPR still applies. That means organisations also need to think about lawful basis, transparency, fairness, and the wider data protection principles. In other words, complying with PECR alone is not enough if personal data is being used.
A useful way to approach this is to treat PECR as the rulebook for certain marketing and tracking activities, and the UK GDPR as the framework for the personal data behind them. If you are sending electronic marketing or using cookies and similar technologies, you will often need to assess both together rather than treating them as separate issues.
Many PECR problems do not come from deliberate misuse. They usually happen because organisations assume general data protection awareness is enough, or because they misunderstand how consent, electronic marketing, and cookies work in practice.
Organisations often rely on unclear wording, bundled permissions, or weak opt-in language. Under PECR, consent usually needs to be clear and properly obtained.
Many websites load analytics, advertising, or tracking tools too early. If those technologies are not strictly necessary, this can create PECR risk.
The two frameworks overlap, but they do different jobs. A business can think about lawful basis under the UK GDPR and still miss the separate PECR rules.
Some organisations assume existing customer marketing or operational communications always fall outside PECR. In reality, the exceptions are narrower and need careful checking.
These issues often seem small in isolation, but they can affect large volumes of messages, website visits, or tracking activity. That is why PECR compliance is usually about operational discipline as much as legal interpretation.
This article is based on ICO guidance on PECR, direct marketing, cookies and similar technologies, together with relevant UK GDPR provisions that shape how consent, transparency, and lawful processing work in practice. For recent regulatory developments affecting PECR enforcement and compliance expectations, see our updates on PECR and direct marketing compliance under increased scrutiny and Data (Use and Access) Act commencement confirmed by the ICO.
Use the glossary for key terms, or download the checklist if you want a practical starting point for reviewing marketing and cookie compliance.
