What is PECR? The UK cookie law explained

By Toby · Published April 2026 · Last updated April 2026

PECR stands for the Privacy and Electronic Communications Regulations 2003. They sit alongside UK GDPR and specifically govern cookies, electronic marketing, and telecommunications privacy. If you run a website that targets UK users, PECR is the law that dictates whether you need a cookie banner, how you can send marketing emails, and what happens if you get it wrong.

Despite being over two decades old, PECR remains one of the most misunderstood pieces of UK digital regulation. Many business owners assume that UK GDPR covers everything to do with their website. In reality, PECR contains the specific rules about cookies and electronic marketing — and ignoring it can result in significant fines from the Information Commissioner's Office (ICO).

What PECR covers

PECR covers three main areas of electronic communications:

• Cookies and similar technologies — the rules about storing information on (or accessing information from) a user's device, including cookies, local storage, fingerprinting scripts, and tracking pixels.
• Electronic marketing — rules governing unsolicited marketing by email, text message, phone call, and fax. This includes the rules about opt-in consent for marketing emails and the requirement for an unsubscribe mechanism.
• Telecommunications privacy — rules about telephone directories, caller ID, call forwarding, and the security of public electronic communications services.

For most website owners and small businesses, the cookie rules and electronic marketing provisions are the parts of PECR that matter most day-to-day.

PECR vs UK GDPR — how they work together

Think of PECR and UK GDPR as two layers of regulation that often apply at the same time. UK GDPR is the broad data protection framework — it governs how personal data is collected, processed, stored, and shared. PECR is the specialist regulation that deals specifically with electronic communications.

Here is the key distinction: PECR applies to all cookies and similar technologies, regardless of whether they process personal data. UK GDPR only kicks in when personal data is involved. So a cookie that tracks an anonymous session still falls under PECR, even if UK GDPR does not apply to it.

In practice, most tracking and analytics cookies do process personal data (IP addresses, device identifiers), so both regulations usually apply simultaneously. You need to satisfy PECR's consent requirements for setting the cookie, and UK GDPR's requirements for processing the personal data that cookie collects.

Regulation 6: the cookie rule

The heart of PECR's cookie requirements is Regulation 6. It states that you must not store information on, or access information from, a user's device unless two conditions are met:

1. The user is given clear and comprehensive information about the purpose of the storage or access.
2. The user has given their consent.

There is one exception: cookies that are strictly necessary for providing a service the user has explicitly requested. These do not require consent (though you should still tell users about them).

The ICO has been clear that consent under PECR means the same as consent under UK GDPR — it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, continued browsing, and implied consent do not meet this standard.

What counts as a "cookie" under PECR

PECR's Regulation 6 is technology-neutral. It does not only apply to HTTP cookies. It covers any technology that stores or accesses information on a user's device. This includes:

• HTTP cookies — the traditional first-party and third-party cookies set by websites and scripts.
• Local storage and session storage — the Web Storage API used by many modern web applications.
• Browser fingerprinting — techniques that combine device characteristics (screen resolution, installed fonts, browser version) to create a unique identifier.
• Tracking pixels and web beacons — tiny images or scripts embedded in pages or emails that report back to a server when loaded.
• ETags and cache-based tracking — techniques that use browser caching mechanisms to identify returning visitors.

If any of these technologies are used on your site for non-essential purposes, they require consent under PECR.

Enforcement: ICO powers and fines

The ICO is the UK's supervisory authority for both PECR and UK GDPR. For PECR specifically, the ICO can issue enforcement notices requiring organisations to take specific actions, and monetary penalty notices imposing fines.

Since 2019, the ICO has issued over £4.6 million in fines for PECR breaches, primarily targeting organisations that sent unsolicited marketing messages or failed to comply with cookie consent requirements. Major enforcement actions have targeted companies making nuisance calls, sending spam texts, and deploying tracking cookies without valid consent.

Under the Data (Use and Access) Act 2025, the maximum fine for PECR breaches increased significantly to £17.5 million or 4% of annual global turnover (whichever is higher), bringing PECR penalties in line with UK GDPR. This represents a substantial increase from the previous maximum of £500,000 and signals that the government takes PECR enforcement seriously.

Who PECR applies to

PECR applies to any organisation that:

• Operates a website accessible to UK users
• Sends electronic marketing communications to people in the UK
• Provides electronic communications services in the UK

Notably, PECR applies based on where the user is located, not where the organisation is based. If you run a website from outside the UK but it targets UK consumers or sets cookies on UK visitors' devices, PECR applies to you.

There is no small business exemption. Whether you are a sole trader with a one-page website or a multinational corporation, PECR applies equally.

PECR compliance checklist

Use this checklist to assess your website's PECR compliance:

• Audit all cookies and similar technologies on your website (use browser developer tools or a scanning tool to identify them).
• Classify each cookie as either strictly necessary or non-essential.
• Implement a consent mechanism (cookie banner) that blocks non-essential cookies until the user gives affirmative consent.
• Ensure your cookie banner provides clear information about what each category of cookie does and why it is used.
• Provide granular consent options — users must be able to accept or reject different categories of cookies independently.
• Ensure consent is not assumed from continued browsing, pre-ticked boxes, or cookie walls that force acceptance.
• Keep records of consent (timestamp, what was consented to, how consent was given) in case you need to demonstrate compliance.

Common mistakes

Relying on implied consent

Phrases like "by continuing to browse this site, you agree to our use of cookies" do not constitute valid consent under PECR. The ICO has explicitly stated that continuing to use a website is not an affirmative action that demonstrates consent. You need a clear opt-in mechanism.

Using cookie walls

A cookie wall blocks access to your website unless the visitor accepts all cookies. The ICO considers this problematic because consent must be freely given — if the only way to access your content is to accept tracking, that consent is not truly free. Provide a genuine choice.

Pre-ticked consent boxes

If your cookie banner loads with all categories pre-selected and requires users to untick boxes to refuse, that is not valid consent. Consent must require a clear affirmative action. All non-essential categories should be unticked by default.

Setting cookies before consent

A common technical mistake is loading analytics and marketing scripts before the user interacts with the consent banner. Non-essential cookies must not be set until the user has given explicit consent. This requires your consent management platform to actually block these scripts, not just record a preference.

Forgetting about third-party embeds

Embedding a YouTube video, a Google Map, or a social media feed can set third-party cookies on your visitors' devices. These need to be accounted for in your consent mechanism. Consider using facade patterns that load a static placeholder until the user consents.

Frequently asked questions

Is PECR the same as GDPR?

No. PECR and UK GDPR are separate but complementary pieces of legislation. UK GDPR is the broad data protection framework covering how personal data is collected, stored, and used. PECR is more specific — it deals with electronic communications including cookies, marketing emails, and telephone privacy. When you set cookies that process personal data, both PECR and UK GDPR apply simultaneously.

Do analytics cookies need consent under PECR?

Yes, in most cases. Standard analytics tools like Google Analytics 4 set non-essential cookies and therefore require informed consent under PECR Regulation 6. The ICO has confirmed this position repeatedly. However, some privacy-focused analytics tools like Fathom Analytics and Plausible operate without setting cookies, which means they can run without a consent banner.

What about essential cookies — do they need consent?

No. Strictly necessary cookies are exempt from the consent requirement under PECR Regulation 6(4). These are cookies that are essential for providing a service the user has explicitly requested — for example, shopping cart cookies, authentication session cookies, or load balancing cookies. You still need to inform users about these cookies, but you do not need to ask for consent before setting them.

Can the ICO fine small businesses for PECR breaches?

Yes. The ICO can and does take action against organisations of all sizes. While large-scale enforcement actions tend to target bigger companies, the ICO can issue enforcement notices, information notices, and monetary penalties to any organisation that breaches PECR. In practice, the ICO often starts with guidance and warnings for smaller businesses, but repeated non-compliance can lead to formal action and fines.

What changed with the Data (Use and Access) Act 2025?

The Data (Use and Access) Act 2025 introduced several changes relevant to PECR. The maximum fine for PECR breaches increased to £17.5 million or 4% of global turnover, aligning it with UK GDPR penalties. The Act also granted the ICO greater powers to investigate and enforce PECR compliance, and introduced provisions for an updated approach to cookie consent that may allow broader use of analytics without explicit consent in future, though the details are still being finalised through secondary legislation.