The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.
Contact us

PECR Compliance in 2026: Explained

GRC Hub - PECR Compliance

Introduction

For many UK organisations, GDPR gets most of the attention. However, when it comes to marketing risk, it is PECR that most often leads to complaints, investigations, and enforcement.

The Privacy and Electronic Communications Regulations (PECR) sit alongside UK GDPR and govern how organisations send marketing communications and use tracking technologies.

In 2026, the stakes are higher than ever. Enforcement risk remains active, and potential penalties now align with GDPR levels of up to £17.5 million or 4% of global turnover.

Despite this, many organisations are still unclear on how PECR actually applies in practice.

What PECR Actually Covers

PECR is often misunderstood as “just email marketing law”. In reality, it covers the full lifecycle of electronic engagement with individuals.

PECR regulates:

Direct Marketing Communications

  • Email marketing
  • SMS and text campaigns
  • Telephone marketing
  • Automated calling systems

Digital Tracking & Website Technologies

  • Cookies
  • Tracking pixels
  • Analytics tools
  • Behavioural advertising

Communication Data

  • Traffic data
  • Location data in telecom services

👉 In simple terms:

  • GDPR = how you use personal data
  • PECR = how you contact and track people using technology

You need both to be compliant.

“GDPR vs PECR: What’s the Difference?”

  • Data usage → GDPR
  • Communication & tracking → PECR

⚖️ B2C vs B2B Marketing: Key Differences

Understanding this distinction is critical.

Quick Comparison Table

Area B2C (Individuals) B2B (Corporate Subscribers)
Consent required Yes, in most cases Not always required
Type of consent Explicit opt-in Opt-out permitted
Soft opt-in available Yes (limited conditions) Not required
Transparency requirement High High
Must identify sender Yes Yes
Must include opt-out Yes Yes
Must explain data source Good practice Expected in first contact

B2C (Individual Subscribers)

If you are marketing to individuals, including sole traders and partnerships:

  • You generally need explicit consent before sending marketing emails or texts
  • Consent must be:
    • Freely given
    • Specific
    • Informed
    • Unambiguous

👉 This is the highest-risk area under PECR.

B2B (Corporate Subscribers)

If you are marketing to corporate entities such as limited companies:

  • You can send marketing emails without prior consent
  • However, you must:
    • Clearly identify your organisation
    • Provide a clear and easy opt-out
    • Stop marketing immediately if they opt out
    • Explain where you obtained their contact details in your initial communication

👉 This requirement is often overlooked. Even where consent is not required, lack of transparency significantly increases complaint risk.

👉 Important nuance:
If you email a named individual using a personal-style email address, stricter rules may apply.

⚠️ Biggest PECR Risk Areas in 2026

1. Consent Misunderstanding

  • Using legitimate interests instead of consent
  • Poor or bundled opt-in language
  • Reliance on legacy or unclear data

2. Misuse of Soft Opt-In

Soft opt-in applies only if:

  • Data collected during a sale or negotiation
  • Marketing similar products or services
  • Clear opt-out provided

Common failures:

  • Applied to prospects
  • Used across unrelated products
  • Weak unsubscribe mechanisms

3. Poor Opt-Out Management

You must:

  • Process opt-outs promptly
  • Maintain suppression lists
  • Apply opt-outs across all systems

4. Cookie and Tracking Gaps

Under PECR:

  • Consent required for non-essential cookies
  • Tracking must not begin before consent
  • Consent must be recorded

Guidance confirms analytics and advertising cookies usually require consent.

5. Policy vs Reality Gap

Common issue:

  • Policies exist
  • Processes are not followed
  • Systems are inconsistent

Regulators assess what happens in practice.

What Good Looks Like

A compliant marketing setup includes:

  • Clear consent and opt-in approach
  • Defined B2B vs B2C rules
  • Central suppression controls
  • Documented decisions
  • Alignment between marketing and compliance

💥 Common Mistakes That Trigger Enforcement

  • Treating PECR as secondary to GDPR
  • Misusing soft opt-in
  • Poor suppression
  • Using unclear or bought data
  • Assuming low volume reduces risk

👉 Complaints drive enforcement, not scale.

💬 FAQ: PECR in Practice 

Do I always need consent to send marketing emails?

No. Consent is required for individuals. For corporate subscribers, opt-out rules apply instead.

Can I rely on legitimate interests for email marketing?

No. PECR rules override GDPR lawful basis in most electronic marketing scenarios.

What is the biggest PECR risk right now?

Misuse of soft opt-in and poor suppression management.

Are B2B emails exempt from PECR?

No. The rules are different, but you still need transparency and opt-out mechanisms.

Do I need to say where I got someone’s details?

Yes. This is particularly important in B2B outreach and helps reduce complaints and scrutiny.

What about LinkedIn messages or DMing prospects?

This is a grey area, but increasingly important.

In practice:

  • If a message is clearly promotional, it is likely to be considered direct marketing
  • PECR can apply where messaging is comparable to email or SMS outreach
  • Even where PECR does not strictly apply, GDPR and general transparency requirements still do

Key risks:

  • Sending bulk or automated outreach
  • Contacting individuals without a clear reason or relationship
  • Failing to identify yourself or provide context

Best practice:

  • Be transparent about who you are and why you are contacting them
  • Avoid purely promotional or unsolicited mass messaging
  • Treat LinkedIn outreach like B2B marketing with opt-out principles
  • Always consider whether your message would feel unexpected or intrusive to the recipient

👉 Practical rule:
If it feels like cold outbound marketing, treat it with the same caution as email.

What happens if I get this wrong?

You risk complaints, reputational damage, and potentially significant financial penalties.

⚠️ How Risky Is PECR Non-Compliance in Practice?

It is easy to assume PECR breaches are low risk because individual fines historically have not reached GDPR levels.

That assumption is changing quickly.

1. The Scale of Complaints Is Significant

PECR enforcement is largely driven by complaints rather than audits.

  • Over 82,000 complaints relating to nuisance calls, emails, and cookies were reported to the ICO in a single year.
  • Complaints about spam emails alone reached almost 29,000 cases.

This means:

  • Marketing activity is one of the most visible compliance risks
  • You do not need to be a large organisation to be investigated
  • It only takes a small number of complaints to trigger scrutiny

2. Fines Are Frequent and Consistent

While individual fines may appear modest, enforcement is regular and targeted.

  • Since March 2022, the ICO has issued 49 PECR fines totalling £4.63 million
  • The average fine is around £95,000
  • The regulator issues multiple fines every quarter

Key takeaway:
This is not rare enforcement. It is routine.

3. Real-World Examples

Recent enforcement action shows the types of issues that lead to fines:

  • HelloFresh – £140,000 fine

    • Over 79 million emails and 1 million SMS messages sent without valid consent
    • Failure to provide clear opt-in and effective opt-out handling

  • Telemarketing firms – £340,000 combined fines

    • Over 1.4 million nuisance calls to individuals registered on the “do not call” list

  • Royal Mail – £20,000 fine

    • Email campaign sent to over 200,000 individuals who had opted out due to system error

Important point:
These are not malicious actors. Many are established organisations making operational mistakes.

4. The Real Risk Has Increased Dramatically

Historically, PECR fines were capped at £500,000.

That is no longer the case.

Under recent legislative changes:

  • Maximum fines now align with GDPR
  • Up to £17.5 million or 4% of global turnover

This is a fundamental shift:

  • Marketing compliance is no longer a “low-level” regulatory risk
  • The most common business activity (email marketing) now carries enterprise-level penalties

5. What Actually Triggers Enforcement

Across cases, the same themes appear repeatedly:

  • Failure to prove valid consent
  • Misuse of soft opt-in
  • Ignoring or delaying opt-outs
  • Poor data sourcing and lack of transparency
  • High complaint volumes from recipients

Critically: The ICO consistently focuses on organisations generating the highest levels of complaints

Do You Need Support With PECR Compliance?

If your organisation is running:

  • Email marketing
  • SMS campaigns
  • Fundraising outreach
  • Website tracking

You are within scope of PECR.

The key question is:
Could you confidently justify your approach if challenged?

GRC Hub helps organisations:

  • Assess PECR compliance
  • Optimise marketing frameworks
  • Reduce regulatory exposure
  • Enable compliant, high-performing campaigns

Final Thought

PECR compliance is not about restricting marketing. It is about making it defensible, scalable, and effective.

Organisations that get this right benefit from:

  • Stronger engagement
  • Lower risk
  • Increased confidence

The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.

Governance Risk & Compliance Hub LIMITED

© 2026 All rights reserved

Linkedin