13 May 2026 · Last reviewed 23 February 2026
PECR and Data Protection: Where Electronic Communications Rules Meet UK GDPR
PECR and UK GDPR are often mentioned in the same breath — "GDPR/PECR compliance" — as though they are a single framework. They are not. They are two separate pieces of legislation, drafted at different times, covering different aspects of privacy, enforced through different powers, with different penalty structures.
But they interact. Constantly. Every time you send a marketing email, collect a phone number for sales calls, or set a cookie on someone's device, both laws apply simultaneously. Understanding where they overlap and where they diverge is not an academic exercise — it determines whether your compliance programme actually covers what it needs to.
What each law does
PECR — the Privacy and Electronic Communications Regulations 2003 — regulates specific electronic communications activities:
- Marketing emails, SMS, and automated calls (Regulation 22)
- Live marketing calls (Regulation 21)
- Cookies and similar technologies (Regulation 6)
- Telephone directory listings (Regulations 8-12)
- Traffic and location data (Regulations 6-7)
- Security of public electronic communications services (Regulation 5)
UK GDPR — applied via the Data Protection Act 2018 — regulates the processing of personal data:
- Lawful basis for processing
- Data subject rights (access, erasure, portability, etc.)
- Records of processing activities
- Data protection impact assessments
- International data transfers
- Data breach notification
PECR is about specific activities (sending a message, setting a cookie). GDPR is about personal data (holding it, using it, sharing it, deleting it). Both apply when those activities involve personal data — which, for email marketing, they always do.
Where they overlap for email marketing
Every marketing email involves both laws:
| Requirement | UK GDPR | PECR |
|---|---|---|
| Basis for holding the email address | Lawful basis required (usually consent or legitimate interest) | Not directly addressed |
| Basis for sending the marketing email | Consent or legitimate interest may apply | Consent or soft opt-in required (Regulation 22) |
| Records of what happened | Article 30 records of processing activities | Evidence of consent per individual |
| Individual's right to stop | Right to object (Article 21) | Opt-out must be honoured (Regulation 22) |
| Transparency | Privacy notice must describe the processing | Consent wording must describe the marketing |
| Breach notification | Report to ICO within 72 hours if personal data breach | Report security breaches for public electronic communications services |
The practical consequence: compliance with one does not guarantee compliance with the other. A business with a perfect GDPR processing record but no PECR consent evidence can still be fined. A business with documented PECR consent but no GDPR lawful basis assessment is also exposed. The GDPR vs PECR comparison covers the detailed differences.
The consent management gap
Here is the specific problem most businesses face: they have some consent evidence spread across multiple systems, and none of it is comprehensive enough for either law.
GDPR evidence lives in your privacy notices and processing records. Your Article 30 records document what data you hold, why, and on what basis. Your privacy notice tells individuals how their data is used.
PECR evidence should live with each individual contact. For each subscriber: when they consented to marketing, what wording they saw, how they opted in, and what categories they agreed to. This is the evidence the ICO asks for in investigations.
Cookie consent evidence lives in your CMP. Cookie banner interactions, consent timestamps, preference selections. This covers PECR Regulation 6 only.
Three separate evidence requirements, often managed in three separate (or no) systems. The gap between them is the exposure.
How the ICO enforces both simultaneously
When the ICO investigates an email marketing complaint, they assess compliance with both PECR and UK GDPR:
PECR assessment: Did the sender have consent or valid soft opt-in for the marketing communication? Can they demonstrate it with records? Were opt-out requests honoured?
GDPR assessment: Does the sender have a lawful basis for processing the personal data? Are processing records adequate? Was a privacy notice provided?
The penalty powers differ:
- PECR fines can now reach £17.5M or 4% of turnover (increased from £500,000 by the Data (Use and Access) Act 2025)
- GDPR fines can reach £17.5M or 4% of global turnover
In practice, the ICO has primarily used PECR enforcement powers for email marketing cases, because PECR provides the specific rules about electronic marketing. But GDPR breaches identified during the same investigation can result in separate enforcement action.
The ICO PECR fines analysis shows that since March 2022, the ICO has issued 49 PECR monetary penalties totalling £4.63 million for direct marketing breaches.
What compliance looks like for both laws
To satisfy both PECR and UK GDPR for email marketing, you need:
1. A documented lawful basis under GDPR. For each category of contacts (customers, prospects, newsletter subscribers, etc.), record your lawful basis for holding their personal data for marketing purposes. If consent: document it. If legitimate interest: complete and file the three-part assessment.
2. PECR consent or soft opt-in for each subscriber. Separately from your GDPR basis, confirm and document either (a) PECR consent meeting the specificity requirements, or (b) valid soft opt-in with all four conditions evidenced.
3. A privacy notice covering the processing. Your notice must describe the marketing activity, identify the lawful basis, and explain the individual's rights — including the right to opt out.
4. Per-contact consent records. For each subscriber: the consent wording they saw, when, how, and what they agreed to. Linked to the wording version that was live at the time.
5. Processing records under Article 30. Your record of processing activities must include the marketing processing, the categories of data, the purposes, and the retention periods. The consent records retention guide covers how long to keep consent evidence.
6. Functioning opt-out and data subject rights processes. Unsubscribe links in every email (PECR). Plus: subject access requests, erasure requests, and data portability handled within one month (GDPR).
Practical first steps
Run the PECR compliance checker. It covers the PECR-specific requirements across consent, soft opt-in, and third-party data.
Review your privacy notice. Does it accurately describe your email marketing activity, the lawful basis, and the individual's right to opt out?
Check your consent wording. Use the Consent Wording Checker to evaluate whether your signup forms meet both GDPR and PECR specificity requirements.
Complete the PECR compliance checklist. It covers all 15 evidence requirements that the ICO expects.
Document your GDPR lawful basis. For each contact category, record whether you rely on consent or legitimate interest, and file the supporting evidence.
Two laws. One email programme. Both enforced by the same regulator. The businesses that separate PECR compliance from GDPR compliance in their planning — and address each systematically — are the ones that pass an investigation without a penalty notice.