A Legal Analysis of PECR and UK GDPR Enforcement (2019–2025)

A Legal Analysis of PECR and UK GDPR Enforcement (2019–2025): A Warning to Data Controllers on the enactment of the Data (Use and Access) Act.

Abstract

This paper analyses enforcement action taken by the Information Commissioner’s Office (‘ICO’) under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) and the UK General Data Protection Regulation (‘UK GDPR’), read with the Data Protection Act 2018 (‘DPA 2018’), between 2019 and 2 September 2025. It demonstrates that while UK GDPR fines remain financially larger, PECR offences are sanctioned more frequently and, since the Data (Use and Access) Act 2025, carry equal maximum penalties. The analysis warns data controllers that the lower legal thresholds for PECR enforcement now have a heightened financial risk on the passing of the Data (Use and Access) Act 2025.

CONTEXTUAL INFORMATION

Lawmakers are poised to elevate the regulatory consequences of marketing and cookie breaches to the same level as other personal data breaches under UK data protection law. This shift reflects a recognition that enforcement under the Privacy and Electronic Communications Regulations 2003 (PECR) has historically been limited in scope and impact. Between 2019 and 2025, the Information Commissioner’s Office (ICO) issued 119 fines under PECR, where the legal threshold for prosecution is lower than under the UK GDPR, yet in the same period, only 16 fines were imposed under the latter regime. The proposed reforms will remove this disparity by raising the PECR penalty cap from the current £500,000 limit to align with the UK GDPR’s maximum sanctions of either £17.5 million or 4% of annual worldwide turnover, whichever is greater. Moreover, the definition of “spam” will be expanded to include emails and texts that are sent but never delivered, significantly broadening the scope for regulatory enforcement and signalling a stricter approach to unlawful marketing practices.

1. Enforcement Data 2019–2025

1.1 PECR

Between 2019 and 2 September 2025, the ICO imposed 119 monetary penalty notices (‘MPNs’) under PECR, totalling approximately £10.5 million.

Annual figures include:

– 2019: 13 fines totalling £1.06m;
– 2020: 11 fines totalling £1.266m;
– 2021: 33 fines totalling £3.268m;
– 2022: 29 fines totalling ‘over £2m’;
– 2023: 16 fines totalling £1.18m;
– 2024: 15 fines totalling approximately £1.6m;
– 2025 (to September): two fines exceeding £140k.

1.2 UK GDPR / DPA 2018

In the same period, at least 16 UK GDPR fines were imposed, totalling approximately £65 million (excluding the overturned Clearview AI penalty). Major cases include:

– Doorstep Dispensaree Ltd (2019) £275k (later reduced to £92k on appeal);
– British Airways (2020) £20m;
– Marriott International (2020) £18.4m;
– Ticketmaster (2020) £1.25m;
– Interserve (2022) £4.4m;
– TikTok (2023) £12.7m;
– Advanced Computer Software (2025) £3.07m;
– 23andMe (2025) £2.31m.

2. Comparative Analysis

While UK GDPR fines are financially heavier due to a handful of large-scale data breach penalties, PECR enforcement dominates in frequency. PECR offences, such as nuisance marketing or cookie consent breaches, often require less complex evidentiary findings than UK GDPR data processing cases, resulting in more frequent prosecution and faster enforcement cycles.

Historically, PECR fines were capped at £500,000. However, the Data (Use and Access) Act 2025 amended PECR to align maximum penalties with UK GDPR: fines of up to £17.5 million or 4% of global turnover, whichever is greater.¹

3. Implications for Data Controllers

The implications are threefold:

1. Lower Threshold, Higher Risk: PECR breaches often involve direct marketing or cookie consent non-compliance areas with clear evidentiary trails and fewer defences than complex data security breaches under UK GDPR.

2. Financial Exposure: The removal of the previous PECR penalty cap now exposes data controllers to GDPR-level fines for relatively straightforward infringements.

3. Regulatory Priority: Enforcement statistics reveal the ICO’s willingness to use PECR as a high-volume enforcement tool; with the new maximum penalties, routine non-compliance could now attract multi-million-pound sanctions.

4. Conclusion

Since 2019, PECR has accounted for the majority of ICO enforcement actions by number, while UK GDPR fines dominate in value. With the legislative reform introduced by the Data (Use and Access) Act 2025, the deterrent effect of PECR penalties has been radically enhanced to GDPR levels. While UK GDPR fines are financially heavier due to a handful of large-scale data breach penalties, PECR enforcement dominates in frequency. PECR offences, such as nuisance marketing or cookie consent breaches, often require less complex evidentiary findings than UK GDPR data processing cases, resulting in more frequent prosecution and faster enforcement cycles.

Historically, PECR fines were capped at £500,000. However, the Data (Use and Access) Act 2025 amended PECR to align maximum penalties with UK GDPR: fines of up to £17.5 million or 4% of global turnover, whichever is greater. While UK GDPR fines are financially heavier due to a handful of large-scale data breach penalties, PECR enforcement dominates in frequency. PECR offences, such as nuisance marketing or cookie consent breaches, often require less complex evidentiary findings than UK GDPR data processing cases, resulting in more frequent prosecution and faster enforcement cycles.

Historically, PECR fines were capped at £500,000. However, the Data (Use and Access) Act 2025 amended PECR to align maximum penalties with UK GDPR: fines of up to £17.5 million or 4% of global turnover, whichever is greater.² Data controllers should, therefore, integrate PECR compliance into risk management frameworks at parity with UK GDPR obligations. The lower legal threshold for PECR prosecution, combined with higher maximum penalties, now renders routine marketing compliance failures a material regulatory and financial risk.

Practitioners should take proactive steps to mitigate enforcement risk under the strengthened PECR regime. First, conduct a comprehensive marketing compliance audit, focusing on consent records, opt-out mechanisms, and ensuring that all marketing activities rely on a lawful basis under PECR. Second, review and, where necessary, update cookie banners and consent management platforms (CMPs) to align with best practices and forthcoming regulatory expectations. Finally, maintain clear, well-documented evidence of PECR compliance to demonstrate accountability in the event of an ICO investigation or audit.

References

1. Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426.
2. UK General Data Protection Regulation, incorporated via Data Protection Act 2018, c 12.
3. Data (Use and Access) Act 2025, c 18, s 64.
4. Information Commissioner’s Office, Monetary Penalty Notices (2019–2025) <https://ico.org.uk> accessed 2 September 2025.
5. Ofcom and ICO, Nuisance Calls Action Plan (2019).
6. Kingsley Napley, PECR Enforcement Analysis 2020 (2020).
7. Taylor Wessing, ICO Enforcement Report 2021 (2021).
8. URM Consulting, Analysis of Fines 2022–2024 (2024).
9. First-tier Tribunal (General Regulatory Chamber) Information Rights, Clearview AI v Information Commissioner [2023] UKFTT 0084 (GRC).
10. First-tier Tribunal (General Regulatory Chamber) Information Rights, Doorstep Dispensaree Ltd v Information Commissioner [2024] UKFTT 0091 (GRC).

• PECR fines will rise from a £500k cap to UK GDPR levels:

• • Up to £17.5m or
  • 4% of annual worldwide turnover, whichever is higher.