PECR

Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)

Flag of GB
United KingdomOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
December 11, 2003
Enacted
December 11, 2003
Enforcing Authority
Information Commissioner's Office (ICO)
Consent Model
Opt-in
Applies To
Any entity storing or accessing information on terminal equipment of UK users

Overview

PECR (Privacy and Electronic Communications Regulations) is the UK's cookie-specific law. Regulation 6 directly governs cookies, requiring consent before storing or accessing information on users' devices. The Data Use and Access Act (DUAA) 2025 significantly strengthened PECR by increasing maximum penalties and introducing new analytics exceptions.

What This Means for Your Website

  • Consent is required before storing or accessing any non-essential cookies on UK visitors' devices
  • Only "strictly necessary" cookies are exempt — the exemption is narrowly defined
  • Pre-ticked or implied consent is invalid
  • Cookie-or-pay models cannot force tracking consent
  • The DUAA 2025 introduced analytics exceptions on an opt-out basis (details in upcoming ICO guidance)
  • Maximum penalties increased from GBP 500,000 to GBP 17.5 million or 4% of global turnover

Key Requirements

The ICO enforces PECR with penalties now aligned to UK GDPR levels since the DUAA 2025 — up to GBP 17.5 million or 4% of global turnover. The new analytics exceptions allow certain analytics on an opt-out rather than opt-in basis, though ICO guidance clarifying the scope is expected in Spring 2026. The strictly necessary exemption remains narrow.

How ConsentStack Handles This

ConsentStack presents UK visitors with a PECR-compliant consent banner that blocks all non-essential cookies until explicit consent is given. The platform will adapt to the new analytics exceptions as ICO guidance is published.

Penalties

Since DUAA 2025: Up to GBP 17.5 million or 4% global turnover (previously capped at GBP 500,000).

Maximum Fine
£17,500,000 aggregate
Revenue-based
4% of annual revenue

Key Requirements

  • Consent before storing or accessing cookies
  • Strictly necessary exemption only
  • Pre-ticked and implied consent invalid
  • Cookie-or-pay models cannot force tracking consent

Notable Provisions

  • DUAA 2025 increased penalties from GBP 500,000 to GBP 17.5 million
  • New analytics exceptions on opt-out basis
  • ICO updated guidance expected Spring 2026

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.
SI 336/2011Ireland
Ireland implements the ePrivacy Directive through SI 336/2011. The DPC is the lead supervisory authority for major tech companies headquartered in Ireland including Meta, Google, Apple, and Microsoft. Uniquely, cookie consent is limited to 6 months and must then be refreshed.

Frequently Asked Questions

What changed in PECR with DUAA 2025?

Maximum penalties increased from GBP 500,000 to GBP 17.5 million or 4% of global turnover. New analytics exceptions were introduced on an opt-out basis. The substantial damage/distress threshold was removed.

Does PECR require cookie consent?

Yes. Regulation 6 of PECR requires consent before storing or accessing cookies on UK users' devices. Only strictly necessary cookies are exempt.

What are the PECR penalties?

Since DUAA 2025, up to GBP 17.5 million or 4% of global turnover — aligned with UK GDPR penalty levels.

Will PECR analytics rules change?

The DUAA 2025 introduced analytics exceptions on an opt-out basis. ICO guidance clarifying the scope is expected in Spring 2026. ConsentStack will adapt accordingly.

Stay compliant with PECR

ConsentStack helps you implement Opt-in consent for United Kingdom automatically.

Get started free