Search

How can we help?

Icon

PECR – fines, direct marketing and cookies

  • 26 September 2025
  • Privacy and Data Protection

The Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent on 19 June 2025 which makes changes to the UK’s data regime, amending the Data Protection Act 2018 (“DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). In respect of PECR, a key change making the headlines is the significant increase of fines.

Before the changes bought by DUAA, the Information Commissioner’s Office were able to impose fines of up to £500,000 on organisations for breaches of PECR yet, DUAA increases this penalty significantly. Fines given under PECR now align with UK GDPR which can be the higher of £17,500,000 or 4% of an organisation’s total worldwide turnover.

Additionally, rules regarding e-marketing and cookies have been the subject of change under PECR, and thus compliance will be crucial to avoid the increase of fines organisations could face.

Direct marketing – changes to interpretation

The definition of ‘direct marketing’ has been inserted into PECR to match the definition used within the DPA, which states, direct marketing is “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” (section 122 DPA). The inclusion of the ‘direct marketing’ definition into PECR aims to provide consistency amongst data protection legislation.

Further, section 110 of DUAA amends PECR to update key definitions:

  1. ‘Call’ – to include all marketing calls, and “a reference to making a call includes a reference to attempting to establish such a connection”. A connection therefore does not need to be established.
  2. ‘Communication’ – will cover all communication, but rather than the previously used terms of “exchanged or conveyed”, the definition will be updated to “any information transmitted”.
  3. ‘Recipient’ – shall be updated to include an intended recipient.

What does this mean in practice? These changes will affect those in the direct marketing industry because “calls” and “communication” will include those calls and communications transmitted even if they fail to reach the desired recipient. Previously, it was inferred that communication which was “exchanged or conveyed” was required to at least reach an individual. So, even if such communications or calls are not received, anyone participating in direct marketing which causes a nuisance or disturbance to those individuals, may receive a fine.

This will allow charities to send direct marketing texts and emails to those who have raised an interest into their charity but explicit consent has not been given.

Direct marketing – charities

A new soft opt-in rule has been inserted into PECR by DUAA. This will allow charities to send direct marketing texts and emails to those who have raised an interest into their charity but explicit consent has not been given. For a charity to market via electronic communications, the following factors must apply:

  1. The sole purpose of the direct marketing is to further the charity’s charitable purpose;
  2. The charity received the recipient’s contact details by the recipient expressing an interest in at least one charitable purpose, or offering to support one of those purposes; and
  3. The receipt will be able to opt out of the marketing communications.

For more information on the above, see section 114 of DUAA.

Previous legislation meant that charities were only allowed to send marketing material to those who had bought similar products and / or services. Yet, this amendment will allow charities to send marketing communications to people who have only expressed an interest in their work, ultimately broadening the explicit consent exceptions under PECR.

Cookies – further exceptions added

The use of cookies to store user information on a device is prohibited unless one of the exceptions within PECR applies. DUAA expands the current exceptions and relaxes the requirements for consent to be obtained for certain cookie uses. Cookies that will:

  1. Enhance the service of a website by collecting statistical information;
  2. Enhance how the service is displayed; and
  3. Locate the geographical point of a user in response to an emergency

will not require user consent before their use.

The Secretary of State will also be able to alter or create new exceptions (following the necessary consultation with the relevant groups).

For further information, see section 112 of DUAA.

To ensure compliance with any aspect of data protection legislation, get in touch with a member of our data protection team.

 

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile
Madeleine Harding

Trainee Solicitor

View profile

+44 118 960 4693

About this article

  • Subject
    PECR – fines, direct marketing and cookies
  • Author
    Madeleine Harding
  • Expertise
    Privacy and Data Protection
  • Published
    26 September 2025
employmentboddy logo
clipboard logo HR Resources

Data Protection – An Overview

This factsheet provides and brief overview of data protection legislation.

FIND OUT MORE

Read, listen and watch our latest insights

art
  • 05 September 2025
  • Privacy and Data Protection

When Ignoring a DSAR Becomes a Criminal Offence

On 3 September 2025, Mr Jason Blake appeared at Beverley Magistrates Court and was fined for failing to respond to a data subject access request (DSAR).
art
  • 02 September 2025
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.
art
  • 18 August 2025
  • Privacy and Data Protection

Top 10 DUAA Compliance Tips for Employers

To support your preparation, we have outlined 10 practical tips to help employers navigate the new requirements and take full advantage of the DUAA’s reforms.
art
  • 12 August 2025
  • Privacy and Data Protection

From WeTransfer to WhatsApp: How Unapproved Tools and “Shadow IT” Could Threaten UK GDPR Compliance

Businesses and self-employed professionals are in a constant pursuit of efficiency and productivity.  There are, as a result, no end of tools and products available to smooth digital workflows. 
Pub
  • 14 July 2025
  • Privacy and Data Protection

From legislation to implementation: The Data (Use and Access) Act 2025

In this podcast, our data protection experts, will explain what the Act means for your organisation and how to ensure compliance with the new regulations.
art
  • 01 July 2025
  • Privacy and Data Protection

Data protection compliance: tricky issues for employers

This article highlights key issues organisations may face when processing personal data and stresses the importance of a proactive approach. It also outlines tailored training packages to support compliance and build internal expertise.
See More