4 February 2026 · Last reviewed 23 February 2026
Every ICO PECR Fine in 2024-2025: Amounts, Causes, and Patterns
The ICO publishes every enforcement action it takes on its action we've taken page. We went through the lot — every PECR monetary penalty notice since March 2022 — and pulled out the numbers, the causes, and the patterns that keep repeating.
Here is what the data actually says.
The headline numbers
Since March 2022, the ICO has issued 49 PECR-related fines totalling £4.63 million. That puts the average fine at roughly £95,000.
But averages hide a lot. At the low end, some penalties came in under £10,000. At the top end, a handful of organisations were hit with six-figure fines that dragged the average up. And the trend line matters more than the average: fines have been getting larger and more frequent.
The ICO is clearly signalling that nuisance marketing is a priority enforcement area — and with the Data (Use and Access) Act 2025 having increased the maximum penalty from £500,000 to £17.5 million (effective 5 February 2026), the stakes have changed fundamentally.
Notable fines: the cases worth studying
These are some of the larger and more instructive penalties from the period. Each one illustrates a different way consent practices can fail.
| Organisation | Fine | What happened |
|---|---|---|
| HelloFresh | £140,000 | Sent over 79 million marketing emails and 1.1 million SMS messages (80.9 million total) between August 2021 and February 2022 without valid consent. Penalty notice issued January 2024. |
| Poxell Ltd / Skean Homes | £250,000 | Made approximately 3.26 million unsolicited marketing calls to TPS-registered numbers. Poxell fined £150,000 (August 2023), Skean Homes £100,000. |
| ZMLUK | £105,000 | Sent 67.7 million marketing emails using third-party data. The consent trail back to the data subjects was broken — ZMLUK could not show that the people on those lists had actually agreed to receive their emails. |
A few things stand out from this table. The volumes are staggering — tens of millions of messages in each case. But the root cause is almost always the same: the organisation could not prove that consent existed at the point the message was sent.
What went wrong, repeatedly
Reading through the ICO's penalty notices, the same failures appear over and over:
1. No record of when or how consent was obtained
This is the single most common problem. Organisations had email lists or phone lists, but when the ICO asked "show us the consent," there was nothing to show. No timestamps. No record of what the person was told. No copy of the form or page where consent was collected.
Without that audit trail, it does not matter whether consent was actually given. If you cannot prove it, the ICO treats it as if it does not exist.
2. Reliance on third-party data without checking the consent chain
The ZMLUK case is the clearest example. They bought or acquired email lists from a third party and used them for direct marketing. But PECR requires that consent is specific — a person must consent to receive marketing from your organisation, or at least from organisations "similar to" the one they originally engaged with, and the consent language must be clear about this.
Buying a list and blasting it is not consent. It has never been consent. The ICO keeps fining organisations for this, and organisations keep doing it.
3. Ignoring TPS and opt-out requests
The Telephone Preference Service exists specifically so people can opt out of unsolicited sales calls. Regulation 21 of PECR is clear: you must screen against the TPS register before making live marketing calls, unless the person has specifically told your organisation they are fine with calls.
The Poxell/Skean Homes case involved making over 3.2 million calls to TPS-registered numbers. This is one of the more avoidable PECR breaches — TPS screening is a straightforward check.
4. Treating soft opt-in as a blanket permission
PECR regulation 22 allows email marketing to existing customers without fresh consent, but only under strict conditions: the contact details must have been collected during a sale or negotiation, the marketing must be for similar products or services, and every message must include an easy opt-out. Several fined organisations had stretched this soft opt-in exemption well past breaking point. If you rely on soft opt-in, read our guide to the four conditions you must meet and check whether your documentation holds up.
Fine limits have changed
For over two decades, the maximum fine the ICO could issue for a PECR breach was £500,000. That cap dated back to 2003.
The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, increased the maximum to £17.5 million or 4% of global annual turnover — whichever is higher. This brings PECR penalties in line with UK GDPR fines, a 35-fold increase in the cap.
Under the old £500K cap, some organisations were treating fines as a cost of doing business. A £140,000 penalty against a company that sent 79 million emails works out to fractions of a penny per message. Under the new regime, the same breach could result in a fine orders of magnitude larger.
For SMEs, this matters. The new maximum is set as a percentage of turnover, not a flat cap. A fine calibrated to 4% of a small company's revenue is proportionally painful in a way that £500,000 never was for a large enterprise.
The pattern behind every fine
Strip away the specifics and nearly every PECR fine comes down to one question: could the organisation demonstrate, with records, that each person they contacted had given valid, specific, informed consent?
In almost every case, the answer was no.
This is not about having a privacy policy on your website. It is not about having a checkbox on a form. It is about being able to produce, months or years later, evidence that a specific individual agreed to receive a specific type of marketing from your specific organisation, at a recorded point in time.
That is what a consent audit trail means in practice. For a detailed breakdown of how PECR consent requirements differ from GDPR, see our guide on PECR vs GDPR marketing consent.
What to do with this information
If you are running marketing campaigns — email, SMS, or phone — and you cannot currently pull up a record showing when each contact on your list consented and what they consented to, you have the same gap that triggered every fine on this list.
The practical steps are not complicated:
- Audit your existing lists. Can you trace each contact back to a specific consent event? If not, that segment of your list is a liability. Our PECR compliance checker flags the most common gaps in about five minutes.
- Record consent at the point of collection. Timestamp, source, wording shown, method of consent. Store it somewhere you can retrieve it.
- Screen phone lists against TPS. Every time. Before every campaign.
- Review any third-party data. If you bought a list, can the supplier show you the consent chain? If they cannot, do not use it.
- Calculate your exposure. Use our PECR fine calculator to estimate what a penalty might look like for your organisation under the new limits.
None of this requires expensive tooling or legal teams. It requires a system — even a basic one — for recording and retrieving consent records. The organisations that got fined did not have that system. The ones that avoid fines do. For a step-by-step audit, see our PECR compliance checklist for 2026.
Data sourced from ICO enforcement actions published at ico.org.uk/action-weve-taken. Individual fine amounts and dates should be verified against the original monetary penalty notices, as the ICO updates its records periodically.