S.I. 2003 / 2426
In force · 11 December 2003
Implements Directive 2002 / 58 / EC

The Privacy & Electronic Communications Regulations.

PECR governs how organisations may contact people electronically (calls, faxes, email, SMS) and how they may store information on a person's device. It rides alongside UK GDPR rather than replacing it: when both apply, both must be satisfied. This is the original 2003 instrument, with the rules that have since become the daily fabric of British compliance.

36
Operative regulations across nine subject groups
02
Schedules · enforcement modifications & transitions
05
Marketing channels with distinct rules: calls, faxes, automated calls, email & SMS
2002 / 58EC
Parent EU ePrivacy Directive transposed into UK law
§ 01 · The Architecture

Five pillars hold up the regime.

PECR's thirty-six regulations cluster into five concerns: secrecy of the network, the things you can do to a person's terminal, the rules of engagement for marketing, the privacy of voice telephony, and the listing of subscribers. The marketing rules are what most businesses meet in practice; the others quietly govern the infrastructure they depend on.

01
Confidentiality & securityOf services, networks & the data that flows over them
REGS 5–8
02
Storage & access on a deviceThe cookie rule & everything like a cookie
REG 6
03
Voice telephony privacyCLI, malicious calls, emergencies, forwarding
REGS 9–17
04
Subscriber directoriesInclusion only with informed consent
REG 18
05
Direct marketingCalls, faxes, automated calls, email, SMS
REGS 19–26
§ 02 · Regulations 19–22

The marketing matrix.

PECR doesn't prescribe a single rule for marketing. It prescribes five, one per channel, and each splits again by whether the recipient is an individual or a corporate subscriber. The matrix below collapses the entire regime into a grid you can read in one glance, with citations and the small print kept faithful to the regulations.

Channel × Recipient
Individual subscriber
A living person, including unincorporated bodies of such individuals (sole traders, partnerships in England & Wales).
Corporate subscriber
Companies, LLPs, royal-charter bodies, Scottish partnerships, corporations sole, other body corporates with legal personality.
Automated calls
Reg 19
Prior consent · opt-in
Only to subscribers who have notified the caller of consent.
No soft opt-in available. The consent must be specific to automated, recorded-message calls.
Prior consent · opt-in
Same rule. Reg 19 makes no individual-vs-corporate distinction.
Automated dialler + recorded message = consent required from any subscriber.
Fax
Reg 20
Prior consent · opt-in
Consent required, plus respect the FPS register kept by OFCOM under Reg 25.
28-day grace for newly-listed numbers. Consent overrides FPS listing while it stands.
Opt-out + FPS
Permitted unless the corporate subscriber has notified you, or its number is on the FPS.
No prior consent needed; respect specific objections and the central register.
Live calls
Reg 21
Opt-out + TPS
Permitted unless the subscriber has previously notified you, or the number is on the TPS register (Reg 26).
28-day grace for newly-listed numbers. Notification of consent overrides TPS while it stands.
Opt-out + CTPS
Same regime; corporates may register on CTPS to opt out of unsolicited live calls.
Reg 21 applies to all subscribers; the CTPS service exists to operationalise corporate objections.
Email & SMS
Reg 22
Opt-in OR soft opt-in
Default rule: prior consent. Exception: the soft opt-in for similar products to existing customers.
All three soft opt-in tests must hold. See § 04 for the deep-dive.
Outside Reg 22
Reg 22 applies only to individual subscribers. Corporate inboxes fall outside this consent rule.
Reg 23 still applies: identify yourself, provide a valid unsubscribe address. UK GDPR also engages where personal data is involved (e.g. named-individual @ company addresses).
Identity & address
Regs 23–24
Always required
Email: identity must not be disguised; valid reply address for opt-out. Calls: name, plus address or freephone number on request.
Applies regardless of whether the channel-specific consent test is met.
Always required
Same identity and address obligations apply across all corporate channels.
Reg 23 makes no recipient distinction; Reg 24 sets the disclosure particulars across automated calls, faxes, and live calls.
Opt-in (consent before contact)
Opt-out (contact unless objected)
Soft opt-in available
Outside the consent rule
Universal disclosure rule
§ 03 · Regulation 6

The cookie rule, in plain terms.

Reg 6 reaches further than its nickname suggests. It governs any storage of, or access to, information on a subscriber's or user's terminal: cookies, local storage, fingerprinting scripts, SDK tracking, pixel beacons. The mechanism is what triggers it; the technology is irrelevant.

Reg6

A person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless two requirements are met.

Requirement · Reg 6(2)(a)

Clear & comprehensive information

About the purposes of the storage of, or access to, that information, before it happens. Vagueness fails this test.

Requirement · Reg 6(2)(b)

An opportunity to refuse

The user must be able to decline. As the rule has been amended and interpreted, this means a freely-given, informed, unambiguous indication of consent. Pre-ticked boxes don't qualify.

Once · Reg 6(3)

One clean disclosure suffices

Where the same person stores or accesses information on more than one occasion, meeting the requirements at the first use is enough. You don't need to ask again every visit.

⚡ Carve-outs · Reg 6(4)
6(4)(a)

Sole purpose: carrying or facilitating transmission

Cookies that exist purely to route a packet, balance a load, or maintain session connectivity. The technical plumbing of the network itself.

6(4)(b)

Strictly necessary for a service the user requested

An information-society service the user actually asked for: a shopping cart, a login session, a security token. "Strictly necessary" is read narrowly: convenient is not necessary.

⚠ How the rule has aged

The 2003 wording, "given the opportunity to refuse", was tightened in 2011 by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations to require consent, not mere opportunity. UK regulators read consent at the UK GDPR standard: freely given, specific, informed, unambiguous, by clear affirmative action. This guide reflects that consolidated reading.

§ 04 · Regulation 22(3)

The soft opt-in.

A narrow, conditional licence to email or text individual subscribers without prior consent, aimed at letting an existing customer relationship breathe a little, without becoming a vector for cold marketing. All three tests must be true at the same time. Miss one and you fall back to the default Reg 22(2) consent rule.

Reg 22(3) · Email & SMS only
Three tests.
All must hold.
The exception sits inside Reg 22 alongside the default rule, not outside it. It permits direct marketing of similar products and services to existing customers over a channel they have implicitly accepted, provided they were given a clear way to refuse, both at collection and on every message since.
1

Contact details obtained in the course of a sale or negotiations for a sale

Acquired during a genuine commercial relationship. Bought or scraped lists fail this test outright. The relationship must be with the marketing sender, not a parent or sister entity.

22(3)(a)
2

Marketing in respect of similar products and services only

The new pitch must be reasonably related to what the customer originally engaged with, not a leap into an unrelated category. ICO guidance treats "similar" as judged from the customer's expectation, not the seller's product taxonomy.

22(3)(b)
3

A simple means of refusal at collection & on every message

Free of charge except for the cost of transmission. Offered when the details were first taken, and again on every subsequent communication. The unsubscribe must work and be honoured.

22(3)(c)
↗ Common pitfalls

Soft opt-in does not cover third-party marketing, charity fundraising on the back of a donation (HCT v ICO clarified the test), or group-company marketing where the subsidiary that holds the relationship is not the entity marketing. It also doesn't apply to automated calls (Reg 19), faxes (Reg 20), or live calls (Reg 21).

§ 05 · Regulations 5–8

Confidentiality of the network.

Before PECR speaks to marketing, it speaks to the network itself. Service providers must keep their services secure, must inform subscribers of residual risks, and must not retain traffic data beyond what's necessary for transmission, billing, or a defined value-added purpose with consent.

Reg 5

Security of the service

Appropriate technical and organisational measures, judged in light of the state of technology and the cost of implementation, proportionate to the risk. Where significant residual risk remains, subscribers must be told the nature of the risk, mitigations available, and likely cost, free of charge.

Reg 5(1)–(5)
Reg 6

No silent storage on a device

Information may not be stored on, or read from, terminal equipment without the subscriber being given clear information and an opportunity to refuse. Strictly-necessary plumbing is exempt; everything else is consent territory.

Reg 6(1)–(4)
Reg 7

Traffic data: erase or anonymise

Once a communication is delivered, traffic data must be erased or stripped of personal-data character, with three exceptions: billing windows, marketing of communications services with consent, and value-added services with consent. Consent is withdrawable at any time.

Reg 7(1)–(7)
Reg 8

Restrict who handles traffic data

Only the public-communications provider, or a person acting under its authority, may process retained traffic data, and only for billing management, customer enquiries, fraud prevention/detection, marketing of communications services, or a value-added service. Subscribers must be told the types and durations beforehand.

Reg 8(1)–(4)
Reg 14

Location data

Location data beyond what's needed for transmission may only be processed anonymously, or with consent for a specified value-added service. Before consent, the subscriber must be told what data, what purposes, what duration, and whether it will go to a third party. Consent withdrawable at any time, on each connection or transmission.

Reg 14(1)–(5)
Reg 4

PECR doesn't displace data-protection law

Nothing in PECR relieves a person of obligations under what is now the UK GDPR & Data Protection Act 2018. Where both regimes apply, for example, marketing emails to a named individual, both must be satisfied. PECR is the channel rule; UK GDPR is the data rule.

Reg 4 · The interface clause
§ 06 · Regulations 9–18

Voice telephony & the small print of a call.

A cluster of often-overlooked obligations sits behind the marketing rules: the privacy mechanics of the call itself. Caller identification, automatic forwarding, malicious-call tracing, emergency-call carve-outs, and how subscribers find their way into (or out of) directories.

Reg 9

Itemised billing on request

A subscriber may request non-itemised bills. OFCOM is required to balance the privacy of the calling user against the right of the bill-paying subscriber to itemisation, including by enabling alternative privacy-preserving methods.

Regs 10–13

Calling Line Identification

Outgoing calls must offer a per-call and per-line means of withholding identification. Incoming calls must offer means of rejecting calls without CLI and of withholding connected-line identity. Providers must publicise the options.

Reg 15

Tracing malicious or nuisance calls

A communications provider may override CLI suppression where a subscriber has asked for malicious or nuisance calls to be traced and the provider is satisfied that doing so is necessary and expedient. Stored data may be made available to a person with a legitimate interest.

Reg 16

Emergency calls override

Calls to 999 or 112 are excluded from CLI-prevention rules; the calling line's identity must be presentable to the emergency authority, and location-data restrictions are disregarded for the call. Privacy yields to safety.

Reg 17

Stop unwanted call-forwarding

Where a third party has caused calls intended for another line to be forwarded to a subscriber's line, the subscriber's provider must stop the forwarding without avoidable delay and free of charge. Other providers must reasonably co-operate.

Reg 18

Subscriber directories

Inclusion of an individual's data in a directory requires prior, informed, free-of-charge opportunity to determine inclusion. Reverse-lookup directories (telephone number → identity) require express consent. Corporates may object. Subscribers may verify, correct, or withdraw at any time.

§ 07 · The wider regime

Where PECR sits.

PECR is a small instrument doing a specific job (the privacy of electronic communications) in a much larger regulatory neighbourhood. It descends from an EU directive, depends on definitions in the Communications Act, runs in parallel to UK GDPR, and shares an enforcer with the data-protection regime. Online safety law is the newer arrival next door.

UPSTREAM · EU
Directive 2002/58/EC

The ePrivacy Directive. PECR transposes Articles 2, 4, 5(3), 6–13, 15 and 16 into UK domestic law. The 2009 amending directive tightened the cookie rule.

DEFINITIONS · 2003
Communications Act 2003

Supplies the load-bearing definitions: "electronic communications network", "electronic communications service", "communications provider", and the framework establishing OFCOM (s. 1, Office of Communications Act 2002).

PECR
2003
S.I. 2003 / 2426
The privacy of electronic communications (calls, faxes, email, SMS, cookies, traffic & location data, directories) for individuals and corporate subscribers in the UK.
PARALLEL · DATA
UK GDPR & Data Protection Act 2018

Reg 4 confirms PECR doesn't displace data-protection law. Where the same processing engages both, both must be satisfied. UK GDPR governs the lawful basis for the data; PECR governs the channel.

DOWNSTREAM · CONTENT
Online Safety Act 2023

OFCOM's other major hat. Where PECR governs the privacy of the carriage of electronic communications, the OSA governs the safety of user-to-user and search content the carriage delivers. Same regulator, different lever.

PECR ⇄ UK GDPR
Marketing email to a named individual: Reg 22 for the channel + UK GDPR Art. 6 for the data. Both lawful bases must hold.
Comms Act 2003 ⊃ PECR
PECR borrows its terminology wholesale from the Communications Act, if the Act doesn't recognise it as a public electronic communications service, PECR doesn't bite.
PECR ≠ OSA
PECR protects the privacy of the message and the consent of the recipient. The OSA protects users from harmful content within services. Same OFCOM, separate regimes, separate enforcement tools.
§
ICO + OFCOM
PECR enforcement is the Information Commissioner's (Reg 31). OFCOM keeps the TPS, FPS & CTPS registers and gives the Commissioner technical advice (Regs 25, 26, 33).
§ 08 · Regulations 27–33

How PECR is enforced.

PECR doesn't build a parallel enforcement machinery; it bolts onto the Data Protection Act's. Schedule 1 to PECR transplants Part V of the Data Protection Act (with modifications) so the Information Commissioner can issue information notices, enforcement notices, and serve monetary penalties on PECR breaches as if they were data-protection breaches.

Reg 31 + Schedule 1 · The Information Commissioner

Three routes for the affected.

PECR creates a triangulated enforcement regime: the Commissioner acts on her own motion or at OFCOM's or an aggrieved person's request; the aggrieved person may also sue for damages directly; and any contract term inconsistent with PECR is simply void.

A
Regulator-led action. Reg 32 lets OFCOM or any aggrieved person request the Commissioner to act. Reg 31 imports Part V of the DPA (information notices, enforcement notices, and the broader audit/monetary-penalty regime) treating PECR breaches as the trigger.
B
Private compensation. Reg 30 entitles a person who suffers damage from a contravention to bring proceedings against the contravener. Defence: that the defendant took such care as was reasonably required. This stands alongside the regulatory route, not behind it.
C
Void contractual terms. Reg 27 makes any term in a public-electronic-communications contract that is inconsistent with PECR void to that extent. You can't contract out of the floor PECR sets.
Reg 28

National security carve-out

A communications provider isn't required to do (or refrain from doing) anything if exemption is required to safeguard national security. A Minister's certificate is conclusive evidence; the Information Tribunal hears appeals on judicial-review grounds.

Reg 28(1)–(8)
Reg 29

Law-enforcement & legal-process carve-out

No PECR obligation applies where compliance would be inconsistent with statutory or court-order requirements, would prejudice the prevention or detection of crime, or where exemption is necessary for legal proceedings, legal advice, or establishing/exercising/defending legal rights.

Reg 29(1)(a)–(b)
§ 09 · Self-Assessment

Can you send it?

A guided walk through the marketing rules. Answer up to five questions to find out which PECR regime governs your contact, what consent (if any) you need, and what the disclosure rules require. This is a heuristic for orientation; the binding answer is in the regulations and ICO guidance.

§ 10 · Reg 2 · Definitions

The vocabulary that matters.

PECR borrows freely from the Communications Act, the Data Protection Act, and the parent Directive, but a handful of definitions, set out in Reg 2, do the heavy lifting throughout the rest of the instrument.

Subscriber
A person who is a party to a contract with a provider of public electronic communications services for the supply of such services. Distinct from "user".
User
Any individual using a public electronic communications service. May or may not be the subscriber.
Individual
A living individual, including an unincorporated body of such individuals (e.g. a sole trader or an English partnership).
Corporate subscriber
A company within s. 735(1) Companies Act 1985, a chartered or letters-patent company, a Scottish partnership, a corporation sole, or any other body corporate or legal person distinct from its members.
Communication
Any information exchanged or conveyed between a finite number of parties by means of a public electronic communications service. Programme-service content is excluded except where related to an identifiable subscriber/user.
Electronic mail
Any text, voice, sound, or image message sent over a public electronic communications network, capable of being stored in the network or recipient's terminal until collected. Includes SMS.
Traffic data
Any data processed for conveying a communication on an electronic communications network, or for billing in respect of it. Includes routing, duration, time. Distinct from content.
Location data
Data processed in an electronic communications network indicating the geographical position of terminal equipment: latitude, longitude, altitude, direction of travel, time recorded.
Value-added service
Any service that requires processing of traffic or location data beyond what's needed for transmission or billing. The category that triggers the consent rules in Regs 7 and 14.
Call
A connection established by means of a telephone service available to the public, allowing two-way real-time communication. Distinguishes voice telephony from messaging.
Automated calling system
A system capable of (a) automatically initiating a sequence of calls to more than one destination, and (b) transmitting sounds that are not live speech. The trigger for Reg 19's consent rule.
Public communications provider
A provider of a public electronic communications network or a public electronic communications service. The party on whom most of the network-side obligations rest.