8 June 2026 · Last reviewed 8 June 2026

Data (Use and Access) Act 2025: What Changed for PECR Email Marketing

On 5 February 2026, the biggest changes to UK email marketing law in over two decades came into force. The Data (Use and Access) Act 2025 — brought into effect by Commencement Order No. 6 — rewrote parts of PECR that had been unchanged since 2003.

If you send marketing emails, texts, or calls in the UK, several of these changes affect you directly. Here's what actually changed, what didn't, and what you need to do about it.

1. Maximum PECR fines: from £500,000 to £17.5 million

The old maximum fine for a PECR breach was £500,000. That cap had been in place since PECR was introduced in 2003.

The DUAA increased it to £17.5 million or 4% of global annual turnover, whichever is higher. This brings PECR penalties in line with UK GDPR fines.

What this means in practice:

Under the old cap, some larger companies treated PECR fines as a cost of doing business. A £140,000 penalty against a company that sent 79 million marketing emails (as happened in the HelloFresh case) works out to fractions of a penny per message. Under the new limits, the same breach could attract a penalty orders of magnitude larger.

For SMEs, the 4% of turnover measure is the more relevant number. A company turning over £2 million faces a theoretical maximum of £80,000 under the percentage calculation — but that's still a significant hit for a small business, and it's now calibrated to hurt proportionally.

The ICO has confirmed that the new enforcement powers apply to conduct occurring after 5 February 2026. Breaches that occurred before that date are subject to the old £500,000 cap.

What to do: If you've been putting off a consent audit because the penalties seemed manageable, recalculate. Use the PECR fine calculator to see what your exposure looks like under the new limits. Then work through the PECR compliance checklist to close gaps before they become expensive.

2. Charity soft opt-in: a new exemption

The DUAA inserted a new soft opt-in rule specifically for charities. Previously, the soft opt-in exception only applied when someone's email was collected during a sale or negotiation of a sale — which excluded most charity supporter relationships.

Now, a charity can send marketing emails to supporters without explicit consent if all of these conditions are met:

  1. The sole purpose is to further the charity's charitable purposes — fundraising communications can qualify, but they must relate to the charity's stated mission
  2. The charity obtained the contact details when the person expressed an interest in, or offered support for, the charity's charitable purposes — this covers donors, volunteers, event participants, and people who contacted the charity about its work
  3. The recipient is given a simple, free way to opt out — both at the point of collection and in every subsequent message

This is narrower than it might sound. It does not apply to:

  • Contacts acquired from third parties (even other charities)
  • Marketing for non-charitable commercial activities (e.g., charity shop promotions unrelated to the charitable purpose)
  • Contacts who simply signed up for general newsletters without expressing interest in the charity's purposes

What to do (charities): Review your contact list segmentation. Contacts who expressed interest in your charitable purposes or offered support can now be emailed under soft opt-in — provided you offer a clear opt-out at collection and in every message. Contacts acquired through other means still need explicit consent. Document the basis for each segment.

3. Direct marketing recognised as a legitimate interest

Section 70 of the DUAA amends Article 6 of the UK GDPR to explicitly recognise that direct marketing is capable of being necessary in the pursuit of legitimate interests under Article 6(1)(f).

This was already the practical reality — most businesses relied on legitimate interests for marketing under UK GDPR. But the explicit statutory recognition strengthens the legal basis and reduces ambiguity.

What this means:

You still need to conduct a Legitimate Interest Assessment (LIA) before relying on this basis. The change doesn't make legitimate interest automatic — it confirms that marketing is a recognised legitimate interest, not that it always overrides the individual's rights. You must still demonstrate the balancing test.

This is particularly relevant for B2B email marketing to corporate subscribers, where PECR consent isn't required and legitimate interest is the primary UK GDPR lawful basis.

What to do: If you haven't documented your Legitimate Interest Assessment for direct marketing activities, do it now. The statutory recognition strengthens your position, but only if you've done the work. Keep the LIA on file as evidence.

4. Attempted communications now count

The DUAA expanded the definitions of "call" and "communication" in PECR to cover attempted communications — not just successful ones.

Under the old wording, there was ambiguity about whether an unsolicited marketing email that bounced, or a call that didn't connect, was covered by PECR. The new definitions close that gap: PECR now applies regardless of whether the communication was received.

Why this matters:

When the ICO calculates the scale of a breach, they count the number of communications. If you sent 50,000 marketing emails without valid consent and 10,000 bounced, the ICO can now count all 50,000 — not just the 40,000 that were delivered. The same applies to automated calls that didn't connect.

For organisations with large marketing lists, this change could significantly increase the scale (and therefore the potential penalty) of any enforcement action.

What to do: Clean your lists. Bounced emails and invalid numbers aren't just wasted send costs — they now contribute to your breach count if the ICO investigates. Run regular hygiene checks on your marketing lists.

5. What didn't change — and one thing that did

B2B marketing rules stayed the same. The government considered extending PECR's electronic mail restrictions to cover B2B marketing to corporate subscribers. They decided against it, citing concerns about economic impact. So the corporate subscriber exemption remains: you can send marketing emails to limited companies and LLPs without PECR consent (though UK GDPR still applies).

The cookie rules did change — a common misconception worth correcting. This post is about email marketing, so we don't cover cookies in depth — but you may have read that the DUAA left cookies untouched. It didn't. Section 112 and Schedule 12 substituted PECR Regulation 6 and inserted a new Schedule A1 setting out additional categories of cookie that no longer require consent. From 5 February 2026 (the same date as the fine increase), three new exceptions apply: cookies used solely for statistical/analytics purposes by the website operator, cookies used to adapt the appearance or functionality of a service to the user's preferences, and cookies used to enable emergency assistance. These join the existing "strictly necessary" and "communication" exceptions.

These new exceptions are narrow and conditional. The analytics exception only applies where the data is used solely by the operator to improve the service — analytics that also feed advertising or profiling do not qualify and still need consent. Even for exempt cookies, you must give users clear information about the tracking and a free, simple way to opt out. The Secretary of State can add, vary, or remove exceptions in future via new regulations under PECR Regulation 6A. (Cookie compliance is a separate topic from email marketing consent, which is the focus of the rest of this guide.)

6. Enhanced ICO enforcement powers

Beyond the fine increase, the DUAA expanded the ICO's investigative toolkit for PECR breaches:

  • Power to compel witnesses to attend interviews
  • Power to request technical reports about an organisation's data processing
  • Alignment with UK GDPR enforcement mechanisms, giving the ICO a consistent set of tools across both PECR and UK GDPR investigations

The ICO has signalled that cookie compliance and direct marketing will be renewed enforcement priorities under these expanded powers.

Timeline: when each change took effect

Change Commencement date
PECR breach notification aligned to 72 hours (matching UK GDPR) 20 August 2025
Main PECR amendments: fine increase, charity soft opt-in, expanded definitions, enhanced enforcement 5 February 2026
Cookie reform: new Schedule A1 consent exceptions (analytics, appearance, emergency) via s.112/Sch 12 5 February 2026
Requirement for organisations to have a complaints procedure 19 June 2026

Practical takeaway

The DUAA doesn't require a fundamental overhaul of your marketing compliance if you were already doing things properly. The core PECR rules — get consent for marketing emails to individuals, meet all four soft opt-in conditions if you're using that exemption, don't use third-party data without verifiable consent — haven't changed.

What has changed is the cost of getting it wrong. A 35-fold increase in the maximum fine, plus expanded enforcement powers and broader definitions, means the ICO has significantly more leverage. The "cost of doing business" calculation that some organisations applied to PECR penalties no longer works.

Three things to do now:

  1. Audit your consent records. Can you demonstrate, for each contact, that you had valid PECR consent (or a legitimate exemption) at the time you sent each marketing communication? If not, start with our PECR compliance checklist.

  2. Document your legitimate interest assessment. If you rely on legitimate interest as your UK GDPR lawful basis for marketing (especially B2B), write up and file your LIA. The statutory recognition in the DUAA strengthens your position, but only if the assessment exists.

  3. Clean your lists. With attempted communications now counting toward breach scale, dead addresses and bounced emails are no longer just a deliverability problem — they're a compliance risk.

ConsentTrail is being built to automate exactly this kind of ongoing consent documentation. If you want to be notified when it launches, join the waitlist.

The commencement dates and provisions referenced in this post are drawn from the Data (Use and Access) Act 2025, the ICO's DUAA summary, and Commencement Order No. 6.