Get a quote

Guide to PECR (Privacy and Electronic Communications Regulations)

20 November 2025

Knowledge

GDPR

Article contents

What are the PECR? What do the PECR cover? How do the PECR relate to the UK GDPR? What are the penalties for not complying with the PECR? How IT Governance can help you comply

Article contents

What are the PECR? What do the PECR cover? How do the PECR relate to the UK GDPR? What are the penalties for not complying with the PECR? How IT Governance can help you comply

What are the PECR?

The PECR (Privacy and Electronic Communications (EC Directive) Regulations 2003) are a UK law that implements the EU’s ePrivacy Directive (Directive 2002/58/EC) and set out privacy rights relating to electronic communications.

The PECR are affected by the GDPR (General Data Protection Regulation)’s rules on consent, so organisations need to ensure they comply with both laws if they send electronic marketing messages, use cookies or provide electronic communications services to the public.

Since Brexit, there are two versions of the GDPR that UK organisations might need to comply with:

  • The UK GDPR, which, with the DPA (Data Protection Act) 2018, applies to the processing of UK residents’ personal data; and
  • The EU GDPR, which continues to apply to the processing of EU residents’ personal data.

The PECR have been amended six times – in 2004, 2011, 2015, 2016 and twice in 2018. The latest amendment came into effect on 17 December 2018, introducing director liability for non-compliance caused by director connivance or negligence.

The DUAA (Data (Use and Access) Act 2025) came into law on 19 June 2025. We are currently reviewing and updating our information pages to account for the changes to UK data protection law introduced by the Act. If you need any expert guidance on how your data processing obligations will change, contact our experts today.

What do the PECR cover?

The PECR apply to:

  • Electronic marketing, including telephone calls, SMS messages, emails and faxes;
  • The use of website cookies to track visitors;
  • The security of public electronic communications services; and
  • The privacy of users of electronic communications services.

How do the PECR relate to the UK GDPR?

The UK GDPR’s standard of consent applies under the PECR. (The UK GDPR matches the EU GDPR’s standard of consent, which is much higher than that under the Data Protection Act 1998, which it replaced.)

To complicate matters, the PECR require the use of consent much more frequently than the UK GDPR does.

Consent must be “given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.

The PECR apply even if you are not processing personal data and therefore do not have to comply with the UK GDPR. For example, the PECR’s marketing rules apply even if the person you are contacting cannot be identified.

For network and service providers, the UK GDPR does not apply where the PECR already provide rules. In practice, this means providers need to comply only with the PECR’s requirements relating to:

  • Security and security breaches;
  • Traffic data;
  • Location data;
  • Itemised billing; and
  • Line identification services.

However, some service providers, such as Internet service providers, might be obliged to comply with the NIS Regulations (Network and Information Systems Regulations 2018) as well, so they should check their compliance obligations carefully.

The ICO enforces the UK GDPR, the PECR and the NIS Regulations for DSPs (digital service providers).

What are the penalties for not complying with the PECR?

The ICO has the power to take action against organisations and, as of 17 December 2018, their officers for PECR violations. Actions include criminal prosecution, non-criminal enforcement, audit and the imposition of monetary penalties of up to £500,000.

An ‘officer’ is defined by The Privacy and Electronic Communications (Amendment) Regulations 2018 as “a director, manager, secretary or other similar officer of the body [corporate] or any person purporting to act in such capacity” or “where the affairs of the body are managed by its members, a member”. In relation to a Scottish partnership, an officer is “a partner or any person purporting to act as a partner”.

How GRC Solutions can help you comply

Understand your level of PECR compliance with our independent PECR Audit service, which assesses:

  • Organisation-wide awareness of the PECR;
  • How risks are managed and the accompanying documentation;
  • The security procedures in place, such as access limitation;
  • Handling of data subjects’ rights and privacy notices;
  • Staff training;
  • Data transfer mechanisms and third-party processors;
  • Your ISMS (information security management system), including testing and frameworks; and
  • Your breach response processes.

We will identify areas of non-compliance and deliver a report to help you take remedial action.

Find out more

Back to resources

Keep reading

Knowledge

What is Cyber Security? Definition and Best Practices

28 November 2025

Knowledge

UK Government Minimum Cyber Security Standard

28 November 2025

Knowledge

Transitioning to ISO 27001:2022 | GRC Solutions

28 November 2025

Knowledge

SWIFT CSCF Compliance

28 November 2025

Knowledge

Speak to a cyber security expert

28 November 2025

Knowledge

What is Social Engineering? Examples & Prevention Tips

28 November 2025

Knowledge

Securities and Exchange Commission Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

28 November 2025

Knowledge

The Sarbanes-Oxley Act | GRC Solutions

27 November 2025

Knowledge

What is Phishing? Attack Techniques & Prevention Tips

27 November 2025

Knowledge

NIST Cybersecurity Framework (CSF) | GRC Solutions

27 November 2025