What are the Privacy and Electronic Communications Regulations?


The Privacy and Electronic Communications Regulations (PECR) are a set of UK regulations that govern how companies can send electronic marketing messages, use cookies, and handle customer data. 

PECR works alongside the General Data Protection Regulation (GDPR) to protect people’s privacy, and it applies to:

  • SMS, MMS, email, phone call, and fax marketing
  • Cookies and similar tracking technologies
  • Security measures
  • Customer privacy

PECR compliance requirements

If your brand is sending marketing messages to UK-based recipients, you’ll need to comply with PECR by:

Obtaining explicit consent

There are several ways to get explicit consent from your audience:

  • Sign-up forms on your website
  • Consent provided via email, support chat, or other written channel, which will need to be saved as time-stamped documentation

It’s also a best practice to confirm subscription to any list with a double opt-in, which is an automatic message sent after someone subscribes to a list. If they subscribe via email, they can click on a link to confirm their subscription; if they subscribe to SMS, they can confirm with a keyword reply. 

Note: Brands must obtain separate consent for each marketing channel. Just because someone subscribed to your email list, for example, doesn’t mean they agreed to receive text messages.

Clearly identifying yourself as the message sender

Clearly identify your business as the sender in all your marketing messages by including at least one of the following:

  • Contact details like brand name, phone number, email address, and business address
  • A link to your website where people can view contact information
  • Sender ID for SMS

Adding an unsubscribe option to all communication

Every email you send should include a link to unsubscribe, normally indicated at the bottom of the email. Every text message you send needs to include an opt-out keyword to give subscribers the option to stop receiving SMS. 

Once someone unsubscribes, stop sending them marketing messages. Legally, you have 10 days to honor the unsubscribe. However, most providers require it to be honored immediately.

Protecting customer data with adequate security measures

To comply with regulations, you’ll need to protect your subscribers’ data, including their name, address, contact details, and purchasing history. This means securely storing this data and only using it for the purpose stated when obtaining consent. 

In the event of a security breach, you’ll be obligated to notify everyone who was affected and the Information Commissioner’s Office (ICO).

Informing website visitors about cookies and similar tracking technologies

If your website uses cookies or similar tracking technologies, you’ll need to obtain consent from website visitors before placing these cookies on their devices. You can do this with a cookie banner or pop-up that clearly explains the types of cookies you use and allows users to accept or reject them.

Penalties for non-compliance

The ICO enforces PECR and can issue fines of up to £500,000 for serious breaches, such as failing to obtain consent or sending unsolicited marketing messages. 

Other consequences of non-compliance include:

  • Enforcement notices: The ICO can issue an enforcement notice requiring you to stop sending marketing messages or using cookies without consent.
  • Criminal prosecution: In extreme cases, the ICO may take criminal action against you if you’re deliberately and seriously in breach of PECR. 
  • Compensation claims: Customers also have the right to take legal action against your business if they believe you misused their data or breached their privacy.
  • Audits and investigations: The ICO may conduct audits and investigations to ensure PECR compliance and may take enforcement action if they find any violations.

How to stay compliant with PECR

  1. Update your privacy policy to include information on handling customer data, using cookies, and processing opt-outs. Review this policy every year or when there is a security event or change in company policy that would necessitate a change—whichever comes first. 
  2. Keep a record of consent, including when and how it was obtained.
  3. Inform your staff about PECR compliance and best practices for handling customer data.
  4. Seek legal advice if you need clarification on your PECR obligations or have experienced a data breach.
  5. Conduct regular audits to identify any potential non-compliance issues and address them promptly.

A marketing automation platform like Klaviyo can help you stay compliant with PECR. Sign up for Klaviyo to obtain and manage consent with sign-up forms, double opt-in messages, and secure, centralized customer data.

Additional resources