08.07.25 Strictly Boardroom

Penalties for breaching direct marketing regulations set to increase

It has been six years since the last update to the Privacy and Electronic Communications Regulations (‘PECR’) in the UK, and they still govern how marketing emails should be managed. On 19 June 2025 the Data (Use and Access) Act 2025 (‘DUAA’) received Royal Assent after much deliberation between the Houses, and tucked within it are some important changes to the PECR regime, with the headline being the increase in the potential penalties being applied.

What happens if you get it wrong?

Previously, the ICO has been able to impose a fine of up to £500,000 on an organisation or its directors for breaches of PECR, plus potential criminal prosecution, non-criminal enforcement, and audit requirements. 

Under DUAA the potential fines for breach of PECR now align with those of data breaches under UK GDPR, with the maximum penalties increasing to the significantly higher maximum amount of £17,500,000 or 4% of the undertaking's total worldwide turnover for the most serious of offences.

What is PECR?

PECR was introduced in the UK in 2003 pursuant to the EU’s e-Privacy Directive 2002. The laws were implemented to help protect individuals from spurious communications and data tracking by businesses and the potential misuse of their data – effectively sitting alongside data protection laws. PECR has had several updates since it was originally enacted, including a 2018 prohibition on cold-calling from claims management companies and a 2019 restriction on cold-calling of pension schemes.

One of the key privacy measures introduced was a restriction on the ability of businesses to perform direct marketing to an individual unless you have the individual’s consent or offer a soft opt-in.

‘Direct marketing’ is defined under Data Protection Act 2018 as ‘the communication (by whatever means) of advertising or marketing material which is directed to particular individuals’.

Who is an ‘individual’?

Whilst there is a general exemption on direct marketing to businesses, it is important to note that the term ‘individuals’ includes sole traders, unincorporated partnerships, and other unincorporated bodies. So, it is important to check the legal status of each contact to whom you intend to send direct marketing. The law stems from the distinction between B2B and B2C protections, with sole traders and unincorporated partnerships not having a corporate entity as a layer of protection.

The key is to understand who subscribed to the email domain – the individual concerned or their business. Whilst markhughes@oconnors.law contains personal data (i.e. it identifies the individual as Mark Hughes), the subscriber is his law firm (i.e. O’Connors) that owns the domain @oconnors.law. The individual will still have the usual rights under UK GDPR (including opting out of future communications) but PECR permits direct marketing to him because it amounts to a B2B communication. The only grey area under PECR is if a contact uses a generic email account for business purposes (e.g. a Gmail address). In these circumstances, the best advice is to treat such a contact as an individual for PECR purposes.

Even if relying on the general B2B exemption, you must still remember to give the contact a valid option to opt out of any future communications. Also note that separate rules apply to marketing calls.

The five step ‘soft opt-in’ test for individuals

Where consent has not been obtained for marketing to individuals, it may still be possible to market directly to individuals if you meet all the following criteria:

  1. You obtained the contact’s details; and
  2. You obtained them during a sale or negotiation of a sale of a product or service; and
  3. You are marketing similar products and services to them; and
  4. You provided an opportunity for them to refuse or opt-out when you collected their details; and
  5. You give them an opportunity to refuse or opt-out in every subsequent communication.

Keeping a record of the consents, opt-ins and opt-outs may seem like an onerous task, but having this audit trail will help your business justify its actions later, with consent always being the preference from the regulators.

What is coming down the track?

It is important to note that PECR does not just cover marketing communications, but also the use of cookies and similar data tracking technologies (e.g. tracking pixels), public communication security, and communication network standards, all of which are constantly evolving areas. Making sure that you keep up with the changes will become increasingly important, as will ensuring that your corresponding privacy policies, terms of use, and cookie policies are all aligned. 

As elements of the DUAA come into force, not only will they increase the ICO’s investigative abilities and the fines it can impose, but they will also build on provisions on the use of cookies, data storage, and tracking pixels on a consumer’s journey.

Given that PECR is a UK piece of legislation, it was not impacted by Brexit, and whilst our laws are still currently largely aligned with those in EEA, there is a new e-Privacy regulation imminent within the EU, which may lead to further divergence of the principles and practices operated between the UK and EU that businesses will need to be alive to.

For further information, please email Mark Hughes or Philip Bowers or call 0151 906 1000.