ARTICLE
4 July 2025

PECR Reform: Rules Relating To Electronic Marketing And Cookies In The UK

MB
Mayer Brown

Contributor

Mayer Brown logo
Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
Explore Firm Details
On 19 June 2025 the Data (Use and Access) Act (the "DUA Act") received Royal Assent and became law in the UK, having been passed by the UK Parliament on 11 June 2025.
United Kingdom Privacy
Oliver Yaros,Reece Randall,Alasdair Maher
+4 Authors
 Your Author LinkedIn Connections

On 19 June 2025 the Data (Use and Access) Act (the "DUA Act") received Royal Assent and became law in the UK, having been passed by the UK Parliament on 11 June 2025. The DUA Act principally reforms the General Data Protection Regulation in the UK (the "UK GDPR") and the Privacy and Electronic Communications Regulations 2003 ("PECR"). This article focuses on the changes that the DUA Act makes to PECR, the laws in the UK that govern the use of cookies and other online tracking technologies, as well as the rules on electronic marketing communications. See our article on the changes the DUA Act makes to UK GDPR.

Increased Fines

  • The DUA Act increases the maximum fine under PECR to bring the maximum fine in line with the UK GDPR.
  • The maximum fine is raised from £500,000 to £17.5 million or 4% of annual global turnover.
  • This is significant as it signals that the ICO is taking PECR compliance seriously and echoes the ICO's statement earlier this year outlining its intent to clamp down on cookie non-compliance.

Simplification of Cookie Requirements

  • The DUA Act removes the requirement for user consent to obtain certain non-essential cookies, including collecting statistical data to improve services or websites; enhancing website appearance or performance; and for emergency assistance.
  • The DUA Act also includes a list of purposes for using cookies and similar tracking technologies which can be considered strictly necessary and so do not require consent, such as security and fraud detection.
  • Importantly, the EU has not relaxed its cookies rules and businesses operating subject to the UK and the EU rules need to comply with both regimes.#

Breach Notification Timeframe

  • The DUA Act amends the timeframe to notify the ICO of a personal data breach under PECR from "without undue delay" to within 72 hours of becoming aware of the breach.
  • A personal data breach under PECR differs from a personal data breach under the UK GDPR. Under PECR, a personal data breach takes place whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation in connection with the provision of a public electronic communications service. There is no threshold for how serious the breach must be – all breaches must be notified.
  • This amendment aligns the timeframe to notify the ICO of a personal data breach under PECR with the timeframe under the UK GDPR.

Addition of the Definition of Direct Marketing

  • The legal definition of direct marketing which is found in the Data Protection Act 2018 - "the communication (by whatever means) of advertising or marketing material which is directed to particular inpiduals" - has been added to PECR and the UK GDPR.
  • The addition of this definition creates consistency across key data protection legislation.
  • The UK government had initially considered extending the PECR requirements to cover business-to-business (B2B) marketing, but has ultimately not implemented that proposal. This decision was influenced by concerns from businesses about the potential negative impact on the economy and marketing practices, as well as the potential for increased compliance burdens.

Comment

The DUA Act refines and clarifies PECR to bring it in line with other data protection legislation within the UK. The most significant changes relate to the easing of requirements related to cookies and other tracking technologies, and the notable increase in the maximum fines under PECR. Following the enactment of the DUA Act, businesses should review their cookies policies to ensure compliance with cookies law.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2025. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Authors
Photo of Oliver Yaros
Oliver Yaros
Photo of Reece Randall
Reece Randall
Photo of Ellen Hepworth
Ellen Hepworth
Photo of Alasdair Maher
Alasdair Maher
Photo of Ana Elisa Hadnes Bruder
Ana Elisa Hadnes Bruder
Person photo placeholder
Katie Steval
Person photo placeholder
Laura Taylor
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More