PECR Reform: Rules relating to electronic marketing and cookies in the UK
- Oliver Yaros,
- Reece Randall,
- Ellen Hepworth,
- Alasdair Maher,
- Ana Hadnes Bruder,
- Katie Steval,
- Laura Taylor (Trainee)
On 19 June 2025 the Data (Use and Access) Act (the "DUA Act") received Royal Assent and became law in the UK, having been passed by the UK Parliament on 11 June 2025. The DUA Act principally reforms the General Data Protection Regulation in the UK (the "UK GDPR") and the Privacy and Electronic Communications Regulations 2003 ("PECR"). This article focuses on the changes that the DUA Act makes to PECR, the laws in the UK that govern the use of cookies and other online tracking technologies, as well as the rules on electronic marketing communications. See our article on the changes the DUA Act makes to UK GDPR.
Increased Fines
- The DUA Act increases the maximum fine under PECR to bring the maximum fine in line with the UK GDPR.
- The maximum fine is raised from £500,000 to £17.5 million or 4% of annual global turnover.
- This is significant as it signals that the ICO is taking PECR compliance seriously and echoes the ICO's statement earlier this year outlining its intent to clamp down on cookie non-compliance.
Simplification of Cookie Requirements
- The DUA Act removes the requirement for user consent to obtain certain non-essential cookies, including collecting statistical data to improve services or websites; enhancing website appearance or performance; and for emergency assistance.
- The DUA Act also includes a list of purposes for using cookies and similar tracking technologies which can be considered strictly necessary and so do not require consent, such as security and fraud detection.
- Importantly, the EU has not relaxed its cookies rules and businesses operating subject to the UK and the EU rules need to comply with both regimes.#
Breach Notification Timeframe
- The DUA Act amends the timeframe to notify the ICO of a personal data breach under PECR from "without undue delay" to within 72 hours of becoming aware of the breach.
- A personal data breach under PECR differs from a personal data breach under the UK GDPR. Under PECR, a personal data breach takes place whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation in connection with the provision of a public electronic communications service. There is no threshold for how serious the breach must be – all breaches must be notified.
- This amendment aligns the timeframe to notify the ICO of a personal data breach under PECR with the timeframe under the UK GDPR.
Addition of the Definition of Direct Marketing
- The legal definition of direct marketing which is found in the Data Protection Act 2018 - "the communication (by whatever means) of advertising or marketing material which is directed to particular individuals" - has been added to PECR and the UK GDPR.
- The addition of this definition creates consistency across key data protection legislation.
- The UK government had initially considered extending the PECR requirements to cover business-to-business (B2B) marketing, but has ultimately not implemented that proposal. This decision was influenced by concerns from businesses about the potential negative impact on the economy and marketing practices, as well as the potential for increased compliance burdens.
Comment
The DUA Act refines and clarifies PECR to bring it in line with other data protection legislation within the UK. The most significant changes relate to the easing of requirements related to cookies and other tracking technologies, and the notable increase in the maximum fines under PECR. Following the enactment of the DUA Act, businesses should review their cookies policies to ensure compliance with cookies law.
