PECR stands for the Privacy and Electronic Communications Regulations. It is the UK law that sits alongside the UK GDPR to govern cookies, electronic marketing, and the privacy of electronic communications. Any UK website that sets cookies or sends marketing must follow it.
Below: what PECR covers, its Regulation 6 cookie rule, and which cookies are exempt. Then how the 2025 Data Act changed PECR's fines, and how PECR compares to the UK GDPR.
What Does PECR Cover?
PECR, the Privacy and Electronic Communications (EC Directive) Regulations 2003, implements the EU ePrivacy Directive 2002/58/EC into UK law. It covers four areas of electronic communications.
- Electronic marketing: calls, texts, emails, and faxes, most of which need opt-in consent
- Cookies and similar technologies: any technology that stores or accesses information on a user's device
- Security of communications services: obligations on providers of public electronic communications networks
- Customer privacy for network and service data: traffic and location data, itemised billing, line identification services, and directory listings
PECR applies to more than telecoms providers. It reaches any organisation that markets by phone, email, text, or fax. It also reaches anyone who uses cookies or similar technology on its website, or compiles a public directory. Read about the UK's other data privacy laws to see where PECR fits alongside the Data Protection Act 2018 and the UK GDPR.
PECR implements the EU ePrivacy Directive, the original EU law on cookies and electronic marketing, into UK domestic law. The two frameworks diverged after Brexit. The EU has moved toward replacing the ePrivacy Directive with a new ePrivacy Regulation, but that EU-only law does not automatically apply in the UK. PECR remains the operative UK law and continues to sit alongside the UK GDPR.
One rule cuts across every area PECR covers: it applies whether or not personal data is involved. Regulation 6, the cookie rule, governs "information," a broader term than "personal data" in the UK GDPR. An anonymous analytics cookie must still satisfy PECR, even if it identifies no one.
What Are the PECR Cookie Consent Rules?
Regulation 6 of PECR sets the cookie consent rule. Before you store or access information on a visitor's device, you must tell them the cookies are there. You must also explain what the cookies do and get their consent. This applies to any non-essential cookie or tracking pixel, regardless of whether it processes personal data.
Consent under PECR uses the UK GDPR's consent standard: freely given, specific, and informed. It must involve a clear, unambiguous positive action, such as ticking a box or clicking a link. Continuing to browse the site does not count as consent.
You cannot set non-essential cookies before the visitor has made that choice. This mirrors the wider cookie consent requirements UK sites must meet under the GDPR.
For most sites, Regulation 6 comes down to three steps.
- Tell visitors that cookies are in use, in a clear and comprehensive way
- Explain what each cookie does and why, in language the visitor can actually understand
- Get consent through an active choice before any non-essential cookie loads, and let visitors withdraw it as easily as they gave it
You only need to complete this the first time a visitor sets cookies, not on every return visit, unless your use of cookies changes. Because PECR borrows the UK GDPR's consent standard, a cookie banner that meets one law's consent bar generally meets the other's for the same interaction.
What Cookies Are Exempt From PECR Consent?
Two categories of cookies do not require consent under Regulation 6. The first covers cookies used solely to transmit a communication over a network. The second covers cookies that are strictly necessary to provide a service the visitor specifically requested.
The strictly-necessary test is narrow. The storage or access must be essential to fulfil the visitor's request, not merely helpful, convenient, or useful for your own analytics or marketing. Common examples include:
- Cookies that remember items in a shopping basket through checkout
- Session cookies that provide security for a service the visitor requested, such as online banking
- Load-balancing cookies that distribute traffic so a page loads correctly
- Cookies that authenticate a logged-in user or remember choices made earlier in the same session
If a cookie is helpful but not essential to the specific request, it still needs consent. It remains good practice to tell visitors about exempt cookies even though you do not need their consent for them.
How Did the Data (Use and Access) Act 2025 Change PECR?
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. It amended PECR's cookie rule, Regulation 6, with effect from 5 February 2026. The changes add three new low-risk cookie exemptions. They also raise the maximum PECR fine to UK GDPR levels and widen who can be held liable for a breach.
What changed, in order of impact:
- Fine increase: the maximum PECR fine rose from £500,000 to £17.5 million, or 4% of global turnover, whichever is greater
- Three new low-risk cookie exemptions: statistical purposes that improve a service, website appearance or functionality preferences, and locating a device for emergency assistance
- Wider liability: Regulation 6 now defines "storing or gaining access" to include instigating that storage or access. A third party that triggers a non-compliant cookie, such as an adtech vendor, can now be liable, even if a publisher's site technically sets it
- A charity soft opt-in: charities can email people who previously expressed interest in their cause without fresh opt-in consent. This requires an opt-out offered at collection and on every later contact
| Before DUAA | After DUAA (from 5 Feb 2026) |
|---|---|
| Maximum fine: £500,000 | Maximum fine: £17.5 million or 4% of global turnover |
| Cookie exemptions: transmission-only, strictly-necessary | Same two, plus statistical, appearance/functionality, and emergency-assistance exemptions |
| Liability: the party that sets the cookie | Liability: the party that sets OR instigates the cookie |
The two everyday exemptions are not silent free passes. The statistical and the appearance-or-functionality exemptions each require you to give visitors clear information about the purpose. Each also requires a simple, free way to object, with no objection raised. That makes them an opt-out model, unlike the no-notice status the strictly-necessary exemption enjoys. The emergency-assistance exemption is narrower still: it only covers locating a device to send help.
None of the three cover third-party advertising cookies. The statistical and appearance exemptions demand a first-party purpose with no data sharing beyond service improvement, so ad-tech and marketing cookies still need consent. For the full route to compliance, follow a step-by-step guide to make your website compliant.
How Is PECR Different From the UK GDPR?
PECR and the UK GDPR sit alongside each other, but PECR is the more specific law. It governs the method and technology of electronic communications, while the UK GDPR governs personal data broadly. For cookies and marketing, comply with PECR first.
| PECR | UK GDPR | |
|---|---|---|
| Scope | Cookies, electronic marketing, comms security, network/service data | Any processing of personal data |
| Consent standard | Uses the UK GDPR's consent standard | Defines the consent standard |
| Applies without personal data? | Yes, PECR governs "information," not just personal data | No, requires personal data to apply |
PECR takes its definition of consent directly from the UK GDPR, so the two rarely conflict on what counts as valid consent. Where they differ is scope: PECR reaches a cookie that identifies no one, while the UK GDPR only applies once personal data is involved.
Network and service providers get a narrow Article 95 carve-out from the UK GDPR: security, traffic data, location data, itemised billing, and line identification. PECR already covers those areas directly.
How Consently Helps You Meet PECR's Cookie Rules
Consently gives UK sites the tools to meet PECR's Regulation 6 rule: tell visitors about cookies, explain them clearly, and get consent first. It does not make you PECR-certified. It gives you the banner, scanning, and record-keeping the rule expects.
Consently's cookie banner uses an opt-in, explicit-consent model that matches the PECR/UK GDPR standard: non-essential cookies stay blocked until a visitor makes an active choice. Two features handle the rest of Regulation 6's practical requirements.
Automatic cookie and tracker scanning finds and categorises the cookies on your site, so you can separate what is strictly necessary from what needs consent. Consent logs record each visitor's choice and export as an audit trail if the ICO ever asks for proof of compliance.
A cookie policy generator produces the "clear and comprehensive information" Regulation 6 requires, in plain language your visitors can actually read.
Consently's cookie consent solution sets up the banner, scanning, and consent logs Regulation 6 expects. Try it free for 14 days, no credit card required.
FAQs
What does PECR stand for?
PECR stands for the Privacy and Electronic Communications Regulations, the UK law that governs cookies and electronic marketing. Its full title is The Privacy and Electronic Communications (EC Directive) Regulations 2003.
Does PECR still apply in the UK?
Yes. PECR continues to apply in the UK after Brexit. The EU's newer ePrivacy Regulation, still in development, will not automatically apply in the UK, so PECR remains the operative law alongside the UK GDPR.
Who does PECR apply to?
PECR applies to anyone who markets by phone, email, text, or fax. It also applies to anyone using cookies or similar technology on a website, or compiling a public telephone directory. Some rules apply only to communications network or service providers.
What is Regulation 6 of PECR?
Regulation 6 is PECR's cookie rule. It requires you to tell visitors about cookies, explain what they do, and get consent before storing or accessing information on their device. A specific exemption can remove that requirement.
What is the maximum fine for a PECR breach?
The maximum fine for a PECR breach is now up to £17.5 million or 4% of global annual turnover, whichever is greater. The Data (Use and Access) Act 2025 raised this from the previous £500,000 cap, aligning PECR penalties with UK GDPR levels.
Is PECR stricter than the GDPR?
For cookies and electronic marketing, PECR sets the more specific and often stricter trigger. It requires consent even when no personal data is processed, which the UK GDPR does not reach on its own. Comply with PECR's rule first, then apply the UK GDPR to any personal data involved.

