If you have customers or website visitors in the UK, you already know that you need to comply with the UK’s General Data Protection Regulation (GDPR). But how much do you know about the Privacy and Electronic Communications Regulations (PECR)?
PECR complement the UK GDPR and Data Protection Act (DPA) to govern cookie compliance, digital advertising activities, and other data privacy considerations.
In 2025, the Information Commissioner’s Office (ICO) introduced new PECR guidance that marketers need to be aware of. This article explains what PECR cover, how they intersect with the UK GDPR, what the new guidance clarifies, and tips for achieving compliance with UK data privacy regulations.
At a Glance
- PECR complement the UK GDPR by regulating cookies and any technology that stores or accesses information on a user’s device.
- The ICO’s 2025 guidance broadened the practical focus from “cookies” to all storage and access tech, including pixels, fingerprinting, web storage, and tag-based scripts.
- Valid consent must be freely given, specific, informed, and unambiguous, with no implied consent or pre-ticked options.
- The “strictly necessary” exception is narrow: analytics, A/B testing, personalization, and advertising tracking almost always need opt-in consent.
- To achieve PECR compliance, you must block non-essential tags until consent is given, make it easy for users to update choices, and keep audit-ready consent logs.
What Are PECR and How Do They Relate to the UK GDPR?
Privacy and Electronic Communications Regulations (PECR) are UK laws that came into effect in 2003. These regulations, which were derived from the EU’s ePrivacy Directive, protect consumer privacy, in particular in terms of digital marketing efforts and cookie storage.
PECR require businesses to provide transparent information around the use of cookies and obtain consent before deploying tracking technologies. These regulations also include rules around unsolicited marketing messages, like cold emails and SMS messages.
The UK GDPR, on the other hand, governs the processing of personal data more broadly. Its rules concern:
- Lawful bases for processing
- Transparency
- Accountability
- Data subject rights
- Data Protection Impact Assessments (DPIAs)
- Data security
The UK GDPR doesn’t specifically regulate cookies; that’s the role of PECR. And while PECR govern when you need to collect valid consent from consumers, the UK GDPR defines what that valid consent looks like.
Both PECR and UK GDPR enforcement come from the UK Information Commissioner’s Office (ICO), the country’s data protection authority.
Key PECR Compliance Requirements and Considerations
PECR compliance centers on transparency, valid consent, and user choice around non-essential cookies and similar tracking technologies. Pay attention to the following requirements.
Clear Information
Before setting non-essential cookies, you must provide clear and comprehensive information about which tracking technologies you use, what they do, how long they remain active, and which third parties you share the collected data with.
Valid Consent
You need to collect valid consent from consumers before deploying tracking technologies. Under UK GDPR rules, this consent must be freely given, specific, informed, and unambiguous. This means consent can’t be implied from a lack of action or continued browsing.
No Pre-ticked Boxes
Pre-ticked boxes don’t constitute valid consent because the user hasn’t taken a positive action. Avoid using pre-enabled toggles, auto-selected categories, and any default “on” settings for analytics or advertising cookies.
Granular Control
Users should be able to choose among different types of cookies when giving or denying consent. This means providing granular consent choices for analytics, advertising, functional, and personalization cookies. A single ‘Accept All’ option is unlikely to meet PECR requirements.
No Cookie Walls
A cookie wall forces users to accept cookies in order to access a service. The ICO’s position is that this generally undermines the “freely given” requirement under the UK GDPR, so if users can’t realistically refuse cookies without losing access, consent probably isn’t valid.
Note that while PECR don’t specify how long you can use any storage and access technologies for, you should consider the appropriate duration relative to what you’re using the tracking technologies for and why.
PECR Compliance for 2026: What Businesses Should Understand
In 2025, the ICO provided new PECR guidance that moved away from the language of “cookies” to encompass all storage and access technologies.
The ICO then updated this draft guidance again later in 2025 to reflect PECR changes introduced by the UK’s Data (Use and Access) Act. This update added a more structured approach to exceptions and tightened consent expectations.
While the 2025 guidance didn’t fundamentally change any PECR requirements, it clarified how businesses should approach the use of tracking technologies, collect consent, and consider exceptions.
Broader Scope
As we mentioned above, PECR’s updated guidance deliberately shifts the framing from cookies to storage and access technologies. This includes pixels, fingerprinting, web storage, link decoration, and SDK-like scripts/tags.
In practice, this means you need to pay attention to more than just cookie use. That includes your use of Google Ads or Meta conversion pixels, the tracking technologies you use for retargeting ads, personalization scripts, and A/B testing frameworks.
If a script drops an identifier or stores data in a browser or device environment, you’re required to comply with PECR.
PECR compliance tip: Audit your storage and access technologies to assess whether you have the right consent mechanisms in place. If something stores or accesses information on a user’s device, treat it as in scope under PECR, regardless of whether or not it’s technically a cookie.
Analytics Cookies
The 2025 updates outline that analytics cookies typically require consent, and using privacy-friendly or low impact analytics tracking technologies doesn’t remove PECR compliance obligations.
PECR’s strictly necessary exception is narrow, and it applies only where storage or access is essential to provide a service explicitly requested by the user.
So while analytics that measure performance are valuable for your business, they aren’t actually essential for delivering the page the user requested.
PECR compliance tip: Assume all analytics tracking technologies require consent, and avoid relying on low-risk or first-party arguments. If analytics cookies fire before consent is given, fix your configuration. Don’t try to defend the practice later.
Consent and User Control
The ICO’s updated guidelines focus less on whether you have a consent banner and more on whether the consent experience is up to par. At a minimum, your banner should:
- Block non-essential tags until the user has given consent
- Offer “Accept” and “Reject” options with equal visual prominence and accessibility
- Avoid the use of pre-ticked boxes or toggles
- Provide category-level controls
- Clearly link to detailed information
- Record timestamp, categories accepted, and user signal (with any updates)
- Make it easy for users to revisit and change settings whenever they want
Remember, there’s no such thing as implied consent under PECR guidelines, and there’s no valid reason to pre-enable tracking technologies that require user consent.
PECR compliance tip: Test your banner like a regulator would. Check that no non-essential scripts fire before consent is given, compare the visual prominence of “Accept” and “Reject” options, and verify that toggles are off by default. Then, reject all tracking technologies like a user would and confirm that nothing loads.
Exceptions
PECR provide a narrow consent exception for cookies that are strictly necessary for providing a service that the user explicitly requested. This includes cookies that control:
- Shopping cart functionality
- Login and session management
- Security and fraud prevention
These exceptions don’t cover A/B testing cookies, analytics cookies, or tracking technologies used for online advertising or content personalization. Though they may feel essential to your business, they aren’t essential to the user’s experience.
But even where this exception applies under PECR, UK GDPR rules still remain in effect as long as personal data is processed. That means transparency and other data protection obligations remain.
PECR compliance tip: Ask yourself whether the service would fail in a fundamental way if the tracking technology were removed. If the answer is “it would be less optimized” or “we wouldn’t get accurate insights” it’s unlikely to be strictly necessary and you need to collect consent.
ICO PECR Compliance Checklist
You need to be able to demonstrate that your approach to consent management reflects how the ICO interprets and enforces PECR today.
Use the cookie compliance checklist below as a practical baseline. If you can’t confidently tick every item, you should revisit your compliance strategy and fill in the missing gaps.
Run a “storage and access” audit
This audit should go beyond basic cookies to include tag manager containers, embedded third-party scripts, and marketing automation tooling. Treat this as a recurring control.
Review and document your “strictly necessary” classifications
Identify each technology categorized as strictly necessary and confirm that this list is limited to what’s essential for a user-requested service. If it’s not, be sure to collect consent before deploying.
Analyze and adjust your banner to meet UK consent standards
If your banner relies on implied consent or nudges users toward acceptance through design imbalance, it introduces enforcement risk.
Proactively enforce consent choices with a CMP
A consent management platform (CMP) with geolocation features can apply the correct banner configuration for UK visitors. It can also control tag execution based on the user’s choice.
Confirm that non-essential scripts run only after consent is given
Test your technical configuration to make sure all non-essential scripts are locked by default. A CMP can do this automatically.
Log consent for potential audits
Under UK GDPR accountability principles, you must be able to demonstrate valid consent. If you’re subject to an ICO audit, being able to produce structured consent logs reduces your risk of fines and penalties.
How Usercentrics Helps Teams Operationalize PECR-Aligned Consent
Once you have your updated PECR compliance strategy in place, you need a tool that will help you implement it. That’s where Usercentrics comes in.
With the Usercentrics CMP, you can design a cookie banner that meets PECR guidelines. Geolocation features display the correct banner whenever a visitor from the UK lands on your site. The software automatically blocks tracking technologies before consent is given to support your compliance with UK data privacy laws.
You can also customize your banner to create granular controls that reflect the specific tracking technologies your site uses. All consent choices are documented and recorded so you can access them in the event of an audit.
Most importantly, Usercentrics also automatically updates features and tools to reflect the most recent privacy guidelines and regulations, from PECR and UK GDPR to the EU GDPR and beyond.
As the ICO continues to refine PECR guidance and enforcement priorities, organizations that treat compliance and consent management as an ongoing, evolving system will be better positioned to respond.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
