Cookie Consent and PECR: Your Digital Privacy Rights

Two pieces of law govern your digital privacy in the UK:

• UK GDPR and the Data Protection Act 2018: The overarching framework governing how organisations collect, store, and use personal data. Applies to almost all processing of personal data.
• Privacy and Electronic Communications Regulations 2003 (PECR): Specific rules for electronic communications — cookies, tracking technologies, direct marketing by email/SMS/phone, and traffic/location data held by telecoms providers. PECR sits alongside UK GDPR and is enforced by the Information Commissioner's Office (ICO).

In practice, PECR creates the specific consent requirement for cookies and electronic marketing. Where PECR requires consent, that consent must meet UK GDPR standards — i.e. it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and consent that is a condition of accessing a service do not meet the standard.

Post-Brexit, PECR remains in force in UK law; the UK government has consulted on reforms but as of 2025 the core consent requirements remain unchanged.

Regulation 6 of PECR requires that before you place a cookie (or similar technology) on a user's device, you must:

1. Provide clear and comprehensive information about what cookies do and why.
2. Obtain the user's consent — except for cookies that are strictly necessary for the service requested.

Strictly necessary cookies (no consent required) include session cookies that maintain a shopping basket, authentication cookies that keep you logged in, and security cookies. These may be set without consent because the service literally cannot function without them.

All other cookies — analytics, advertising, social media tracking, personalisation — require prior consent. This includes Google Analytics, Meta Pixel, and similar tools even if the data is nominally anonymised.

Reject-all parity: The ICO's guidance (updated 2023) makes clear that a "reject all" option must be as prominent and accessible as an "accept all" option. Organisations that present a large green "Accept" button alongside a small grey link to "manage preferences" are likely in breach. The reject option must be available on the first layer of the consent interface.

PECR Regulation 22 governs unsolicited electronic marketing:

• Marketing to individuals (B2C): Organisations must have your prior consent before sending marketing emails or texts. The consent must meet UK GDPR standards — pre-ticked boxes and inferred consent do not qualify.
• Soft opt-in (existing customers): An organisation can market to existing customers without fresh consent if: (1) they obtained contact details during a sale, (2) the marketing is for similar products or services, and (3) a clear opt-out was offered at the time and is offered in every subsequent message.
• Marketing to businesses (B2B): Emails to corporate email addresses (e.g. info@companyname.co.uk) are not subject to the individual consent requirement, but marketing to named individuals at a business address (e.g. jane.smith@companyname.co.uk) is.
• Opt-out rights: Every marketing message must include a clear and free means to opt out. Organisations must act on opt-outs promptly. Continuing to send marketing after an opt-out is a breach of PECR.

If you receive unwanted marketing, report it to the ICO using the spam reporting tool on their website.

The ICO enforces both PECR and UK GDPR. The enforcement landscape:

• PECR fines: The ICO can issue fines of up to £500,000 for serious breaches of PECR — for example, sending millions of unsolicited marketing texts or deploying non-consensual tracking cookies at scale. The ICO has fined numerous companies including major telecoms providers and political parties.
• UK GDPR fines: Where a PECR breach also involves a UK GDPR breach (e.g. processing personal data without a lawful basis), the ICO can issue UK GDPR fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
• How to complain: If an organisation has breached your PECR rights (e.g. set tracking cookies without consent, sent unsolicited marketing), you can complain directly to the ICO at ico.org.uk. You should first raise the issue with the organisation and give them a reasonable time to respond.
• Court action: PECR does not itself give individuals a private right to sue for damages, but if a PECR breach also constitutes a UK GDPR breach, you may be able to seek compensation through the courts under Article 82 UK GDPR.

The ICO publishes an anonymised decision register showing past enforcement actions — useful for understanding the threshold at which the ICO acts.