If your team makes outbound calls, sends marketing email or SMS, or runs automated voice campaigns to UK numbers, PECR is the rulebook that governs you. UK GDPR gets most of the airtime, but the fines that actually land on direct marketing teams almost always come under PECR. It is the regulation that decides whether a single dialler shift, a rented list, or an over-eager email sequence becomes a regulator problem.

This guide walks through what PECR is, how it sits alongside UK GDPR, and what the practical rules look like for live calls, automated calls, email, and SMS. It is written for sales and marketing leads who need to understand the regime well enough to set policy, not for lawyers drafting submissions.

What PECR is

PECR is the common short name for the Privacy and Electronic Communications (EC Directive) Regulations 2003. It is a UK statutory instrument (SI 2003/2426) that implements the EU ePrivacy Directive (2002/58/EC) into domestic law. It came into force on 11 December 2003 and has been amended several times since, most significantly in 2011 (cookies and breach notification), 2015 (the £500,000 monetary penalty cap was added that year for serious PECR breaches), and again post-Brexit when the UK pulled the relevant ePrivacy provisions into the domestic statute book.

The regulator is the Information Commissioner's Office (ICO). Its guidance lives at ico.org.uk, and the legal text itself is on legislation.gov.uk. It is worth bookmarking both. The ICO guide is readable; the SI itself is short by statute standards and the marketing-relevant parts are concentrated in regulations 19 to 24.

Quick history. The 2003 regulations replaced an earlier 1999 instrument. The 2011 amendments brought in the cookie consent banner regime everyone now recognises. The £500,000 maximum penalty appeared via the Privacy and Electronic Communications (Amendment) Regulations 2015. Post-Brexit, PECR remains in force as retained UK law and continues to operate alongside UK GDPR.

What PECR actually covers

PECR is a wider regulation than most marketers realise. It governs privacy in electronic communications generally, not just marketing. Its main areas are:

  • Live marketing calls to individuals and corporate subscribers (regulations 21 and 21A), including the TPS and CTPS regimes.
  • Automated marketing calls (regulation 19), meaning recorded-message calls placed by an automated dialling system.
  • Marketing by electronic mail (regulation 22), which covers email, SMS, MMS, in-app messages, and other electronic messaging to individual subscribers.
  • Marketing faxes (regulation 20). Niche now, but still on the books.
  • Cookies and similar technologies (regulation 6), covering the storage and access of information on a user's device.
  • Traffic and location data handled by communications providers, security of services, and personal data breach notification by telecoms operators.

For a sales or marketing team, the load-bearing parts are 19, 21, 21A, and 22. Regulation 6 (cookies) matters for the website but is normally owned by web and product teams. The rest is operationally relevant only to telecoms providers.

PECR and UK GDPR: overlapping but distinct

A common mistake is to treat PECR as the marketing chapter of UK GDPR. It is not. They are separate regimes with separate legal bases, separate enforcement powers, and separate fining limits. They frequently apply at the same time to the same activity, and you have to satisfy both.

 PECRUK GDPR
What it governsSpecific electronic marketing channels and electronic communications privacyProcessing of personal data generally
Applies toAnyone marketing by call, email, SMS, automated call, fax, or setting cookies on UK usersAny controller or processor handling personal data
Channel-level rulesYes: TPS, CTPS, soft opt-in, automated call consentNo, principles based
Maximum monetary penalty£500,000£17.5m or 4% of global turnover, whichever is higher
Lawful basis for marketingConsent or, for some email, a soft opt-in carve-outUsually consent or legitimate interests (subject to the PECR gate)

The way to think about it in practice: PECR is the gate. If PECR says you cannot make this call or send this email, the UK GDPR conversation about legitimate interests does not save you. UK GDPR then governs everything you do with the underlying personal data: how you collected it, how long you keep it, how you respond to subject access requests, and so on.

Two regulators, one office. Both PECR and UK GDPR are enforced by the ICO. The ICO can issue a PECR fine and a UK GDPR fine for the same incident, drawing on the powers of each regime.

Live calls: TPS, CTPS, and why "soft opt-in" is mostly irrelevant here

Regulation 21 prohibits unsolicited live marketing calls to an individual subscriber who has registered on the Telephone Preference Service (TPS) or who has told you directly they do not want such calls. Regulation 21A, added in 2018, extends an equivalent prohibition to corporate subscribers via the Corporate Telephone Preference Service (CTPS).

In short:

  • You may not make a live, unsolicited marketing call to a TPS-registered individual or sole trader number unless that person has specifically told you they are happy to be called by your organisation.
  • You may not make a live, unsolicited marketing call to a CTPS-registered corporate number unless the same direct consent applies.
  • The duty is on the caller. "Our data supplier said it was fine" is not a defence.

Soft opt-in is a concept that sometimes appears in compliance training, but it lives in regulation 22 and applies only to electronic mail. It does not exist for live calls. For calls, the position is binary: the number is on TPS or CTPS and you have not got specific consent (do not call), or it is not registered (you may call, subject to your wider UK GDPR obligations and your own do-not-contact list).

Practical implication: any list of UK numbers your team uses for outbound dials needs to be screened against TPS and CTPS, and rescreened on a regular cadence, because consumers and businesses register every day. We have written a full operational guide in TPS compliance: the operator's guide, and the differences between the two registers are covered in TPS vs CTPS.

Two further points often missed on live calls. First, the prohibition bites on calls placed to a number that is on the register at the time of the call, regardless of when the data was acquired. A list bought clean two years ago is no longer clean today. Second, "marketing" is read broadly: a call that is framed as a satisfaction survey but which is structured to lead into a sales pitch will be treated as a marketing call. The ICO looks at substance, not the script header.

Email and SMS: consent or soft opt-in

Regulation 22 is the rule for marketing by electronic mail to individuals. The default is that you need the recipient's prior consent. UK GDPR consent applies, which means it must be specific, informed, freely given, and demonstrable. Pre-ticked boxes do not count. Bundling marketing consent into a terms-of-service acceptance does not count.

The narrow exception is the so-called soft opt-in. You can email or text an existing customer about your own similar products and services without fresh consent if all of the following are true:

  1. You obtained their contact details in the course of a sale or negotiations for a sale of a product or service.
  2. The marketing relates to your own similar products or services.
  3. You gave them a simple opportunity to refuse the marketing at the point you collected the details, and you give a simple opt-out in every subsequent message.

Each leg matters. "Negotiations for a sale" is not the same as "filled in a form to download a whitepaper". A genuine soft opt-in flows from a real commercial discussion. "Similar products" is read narrowly: a wealth management firm cannot soft-opt-in its existing clients into marketing for an unrelated affiliated business.

For B2B email to corporate subscribers (limited companies, LLPs, Scottish partnerships, government bodies), regulation 22 does not impose the same consent requirement. You still need a UK GDPR lawful basis (typically legitimate interests with proper balancing), and you still must offer an opt-out and honour it. Sole traders and unincorporated partnerships are treated as individuals, which trips up a lot of B2B teams.

SMS sits under the same regulation 22 rules as email. Voicemail drops delivered as recorded messages without a live call connecting are treated as automated calls, not as messages, and fall under regulation 19.

Automated calls: the strict tier

Regulation 19 covers calls placed by an automated calling system that plays a recorded message. The rule is strict: you may only make these calls to subscribers who have specifically consented to receive automated marketing calls from you. General consent to marketing is not enough. TPS or CTPS status is irrelevant; the consent requirement is absolute.

This is the area where ICO fines have been heaviest and most frequent. Patterns we see in published enforcement notices include:

  • Lead-generation forms with vague consent wording that does not mention automated calls or does not name the specific company actually placing them.
  • Long indirect consent chains, where consent was supposedly captured on a third-party site months earlier and resold via several brokers.
  • High call volumes from a small operator, often using cheap VoIP infrastructure.
  • Failure to identify the caller in the recorded message or provide a contact address, which is a separate regulation 24 breach on top of the consent problem.

If you operate any kind of recorded-message campaign, treat regulation 19 as a serious operational risk and not a paperwork exercise. Specific worked examples and live case write-ups are gathered in ICO PECR fines: patterns from recent cases.

How the ICO enforces PECR

The ICO has a layered toolkit under PECR. In ascending order of severity:

  • Information notices, requiring an organisation to provide information to the regulator.
  • Assessment notices, allowing on-site investigation.
  • Enforcement notices, ordering the organisation to stop the offending activity or take specific steps.
  • Monetary penalty notices, the formal fine.
  • Prosecution for the criminal offences inside PECR (these are rare).

The ICO also has powers to disqualify directors of companies that repeatedly breach PECR, used most often against small operators running automated call schemes who would otherwise dissolve and reincorporate.

Without inventing specific case names, the patterns in published enforcement decisions are consistent. The regulator looks at: total call or message volume, number of complaints received (often via the 7726 service for SMS or the TPS complaints process), evidence of consent (or absence of it), how long the activity continued after the company was put on notice, and the seriousness of any aggravating factors like calls to vulnerable people. Cooperative behaviour and clear remediation usually reduce the penalty.

It is also worth understanding how cases reach the ICO in the first place. The TPS itself, operated under contract to the ICO, collects complaints from registered numbers and forwards patterns of likely breach to the regulator. Email and SMS complaints arrive through the public 7726 reporting service and direct submissions to the ICO website. Whistleblowing from former employees of the offending organisation is more common than people assume, particularly for operators that ran heavy automated call campaigns. Once a complaint threshold is reached, the ICO writes to the organisation seeking information; the response (or lack of it) often does more to shape the eventual penalty than the underlying breach.

The £500,000 cap, and why it sits separate from UK GDPR

The maximum monetary penalty the ICO can impose for a serious PECR breach is £500,000. This cap was introduced by the 2015 amendment regulations and has not been raised since. It is the ceiling for a single contravention, and the ICO has set fines at or near it on multiple occasions.

UK GDPR penalties run on a completely different ladder, capped at £17.5 million or 4% of worldwide annual turnover, whichever is higher. That is roughly thirty-five times the PECR maximum at the lower bound, and effectively unbounded at the upper.

Why has the £500,000 cap stuck? Two reasons. First, PECR is older legislation written before the GDPR-era expectation of revenue-linked fines. Second, raising it requires a fresh statutory instrument, and the policy direction in recent years has pointed at replacing PECR wholesale rather than amending the existing cap. Until that happens, the cap is the working ceiling for direct marketing penalties in the UK.

Don't get complacent about the cap. A £500,000 fine is still a serious financial event for most marketing operations, particularly when stacked with director disqualification, an enforcement notice that forces you to stop calling, and the reputational hit of a published decision. PECR is not a low-stakes regime just because the headline number is smaller than UK GDPR.

Practical compliance checklist

If you run sales or marketing operations into the UK, these are the controls worth having in place. Treat them as a baseline, not a ceiling.

Outbound calling

  1. Maintain a single outbound calling list per business unit. Avoid having dialler list, CRM list, and rented list drift apart.
  2. Screen the calling list against TPS and CTPS before each campaign and on a recurring schedule for evergreen lists. Daily for high-volume operations, weekly at minimum.
  3. Maintain your own internal do-not-call list. Treat any opt-out request, however informally expressed, as binding from the moment you receive it.
  4. Where you rely on direct consent that overrides TPS or CTPS, log the consent: where, when, what wording, and which specific business it was given to. Vague consent does not survive a complaint.
  5. Train agents to identify the caller, the company, and the purpose at the start of every call (regulation 24).

Email and SMS

  1. Decide for each list and each segment whether you are relying on consent or on the soft opt-in. Document the decision.
  2. For consent-based marketing, store a record of the consent action, the version of the wording shown, and the timestamp.
  3. For soft opt-in, check the three legs really hold (real sale or negotiation, similar products, opt-out at collection point and in every message).
  4. For B2B email to corporates, run a UK GDPR legitimate-interests assessment and keep it current. Treat sole traders and partnerships as individuals.
  5. Honour opt-outs in every channel, not just the one in which they were received. If a recipient unsubscribes from email, do not call them next week.

Automated calls

  1. Do not run them without specific, named consent. Generic marketing consent will not survive an ICO complaint.
  2. If consent was captured by a third party, audit the consent flow end to end. Who saw what wording, what companies were named, when.
  3. Identify yourself in the recorded message and provide a contact address.

Tooling and integrations

Most teams operate across a CRM, a dialler, and one or more marketing platforms. The compliance picture only holds together if those systems share the same do-not-contact state. TPSClear is built to do the call-side screening directly inside your CRM, with native integrations (HubSpot live; Salesforce, Dynamics 365, Pipedrive, Zoho, and Capsule in build) and a REST API for everything else. If you are wiring this into your stack, the CRM integrations page and the developer documentation are the right starting points.

And if you are wondering what to do when a customer who has explicitly asked to hear from you turns up on TPS, the answer is in Calling a TPS-registered number with consent.

Bottom line

PECR is short, specific, and enforced. UK marketing teams that get into trouble almost always do so under PECR rather than UK GDPR, and the trouble almost always traces back to one of three things: not screening calls against TPS or CTPS, relying on a soft opt-in that does not actually qualify, or running automated calls on consent that will not stand up. Get those three right, document the decisions, and most of the regulatory risk falls away.