Finance Editor, Kael Tripton Ltd - LBS MBA - Verified against FCA Handbook: 14 June 2026
Quick answer
PECR 2003 governs cookies, email marketing, cold calling and text marketing in the UK. Non-essential cookies require opt-in consent before placement. Marketing emails require consent or the soft opt-in rule. Cold calls to TPS-registered numbers are prohibited. The ICO enforces PECR alongside UK GDPR with fines up to PS500,000.
What Are PECR Regulations and What Do They Require?
Direct answer
What are the PECR cookie and marketing rules?
PECR 2003 (legislation.gov.uk/uksi/2003/2426) requires: opt-in consent before non-essential cookies are placed on a user's device; prior consent for marketing emails and texts to individuals (or soft opt-in for existing customers); no automated marketing calls without consent; no live marketing calls to TPS-registered numbers. ICO enforces alongside UK GDPR with fines up to PS500,000.
FCA Handbook - PECR Regulation 6(1) - Verbatim Rule Text Source: handbook.fca.org.uk
A person shall not store or gain access to information stored in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
Audit your cookies
List all cookies set on your website. Classify each as strictly necessary or non-essential. Non-essential cookies require prior consent.
Implement a compliant cookie consent mechanism
A cookie banner must: describe what each category of cookie does, require opt-in (not opt-out) before non-essential cookies are placed, allow granular choice (accept all / reject all / manage preferences), and allow users to withdraw consent as easily as they gave it.
Audit your email marketing lists
Check every contact on your marketing list has given valid consent or qualifies under the soft opt-in rule. Remove or re-consent anyone who does not.
Check your calls against TPS
Before making marketing calls to individuals, screen numbers against the Telephone Preference Service register at tpsonline.org.uk.
Appoint a DPO or data privacy lead
For organisations that process personal data at scale, consider appointing a Data Protection Officer and ensure PECR compliance is part of their remit.
| Marketing channel | PECR rule | Consent required? |
|---|---|---|
| Email to individuals | Consent or soft opt-in required | Yes (or soft opt-in for existing customers) |
| Email to companies | GDPR legitimate interest may apply | Not under PECR -- check UK GDPR |
| Automated calls (recorded message) | Prior consent required | Yes always |
| Live calls to individuals | Cannot call TPS-registered numbers | Yes if TPS-registered |
| SMS/text to individuals | Consent or soft opt-in required | Yes (or soft opt-in) |
| Non-essential cookies | Opt-in consent before placement | Yes -- pre-ticked boxes invalid |
Related KT guides
Frequently Asked Questions
What are PECR Regulations?
The Privacy and Electronic Communications Regulations 2003 (PECR, SI 2003/2426) implement the EU e-Privacy Directive in UK law. PECR govern electronic marketing (emails, texts, calls, faxes), the use of cookies and similar technologies, and communications networks security. PECR is enforced by the Information Commissioner's Office (ICO) alongside the UK GDPR (Data Protection Act 2018). Breaches can result in ICO fines of up to PS500,000 for organisations and PS500,000 for directors personally.
What are the cookie rules under PECR?
Under PECR Regulation 6, you must not store or access cookies or similar technologies on a user's device unless: the user has given consent (opt-in), or the cookie is strictly necessary for a service explicitly requested by the user. Strictly necessary cookies (session management, security, shopping basket) do not require consent. All other cookies -- analytics, advertising, social media, preference cookies -- require prior consent before they are placed. The consent must be informed, specific and freely given -- pre-ticked boxes do not constitute valid consent.
What are the email marketing rules under PECR?
Under PECR, you can only send marketing emails or texts to individuals (including sole traders and some partnerships) if you have their prior consent, or if you are marketing similar products or services to existing customers and gave them the opportunity to opt out (the 'soft opt-in' rule). For corporate bodies (companies, LLPs), prior consent is not required by PECR but the UK GDPR legitimate interest basis must still be considered. The ICO regularly fines businesses for spam email marketing without valid consent.
What are the cold calling rules under PECR?
Under PECR, you cannot make automated marketing calls or send marketing faxes to individuals without prior consent. For live marketing calls to individuals, you cannot call anyone registered with the Telephone Preference Service (TPS) unless they have specifically consented to calls from your organisation. Businesses (corporate bodies) are also protected by the Corporate Telephone Preference Service (CTPS). The ICO enforces both the TPS and CTPS rules.
What are the PECR fines?
The ICO can issue monetary penalty notices for PECR breaches of up to PS500,000 for organisations and PS500,000 for directors personally (for consent violations under Regulation 5A and marketing violations). Notable examples: British Gas PS100,000 (2020) for marketing without consent, Sky Betting and Gaming PS1 million (2023) for cookie consent failures. The ICO has also issued fines to lead generation companies, insurance companies and financial services firms for cold calling and email marketing breaches.
Primary sources
Kael Tripton Ltd is registered with the Information Commissioner's Office under registration number ZC135439.
