What is the difference between GDPR and PECR?

GDPR governs how organisations process personal data more broadly — requiring a lawful basis, transparency, and data subject rights. PECR is a separate law that specifically covers electronic communications, including cookies, email marketing, and spam. They are two distinct pieces of legislation enforced by the ICO, and both can apply to your website simultaneously.

Does PECR still apply in the UK after Brexit?

Yes. PECR is UK law and continues to apply. It originally implemented the EU ePrivacy Directive into UK law. After Brexit, PECR remains in force as retained EU law. The UK government has proposed replacing it with a new UK ePrivacy framework, but until that happens, PECR is the law that governs cookies and electronic marketing in the UK.

Which law applies to cookies — GDPR or PECR?

Both. PECR sets the specific rules about when you can set cookies on a user's device and requires informed consent for non-essential cookies. The GDPR applies because cookies can collect personal data, which means you also need a lawful basis under GDPR for that processing. In practice, PECR is the law the ICO uses to fine businesses for cookie consent failures.

Can the ICO fine you under both GDPR and PECR at the same time?

In theory, yes. The ICO can take enforcement action under both laws for the same conduct if it involves both personal data processing failures (GDPR) and electronic communications violations (PECR). In practice, the ICO typically brings action under the law that is most relevant to the specific breach, but it is not limited to choosing just one.

GDPR vs PECR: What's the Difference and Why It Matters

If you run a website in the UK, you have probably heard of the GDPR. You may also have come across PECR. Most small business owners assume they are the same thing or that GDPR covers everything. They are not, and it does not.

The General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR) are two distinct pieces of UK law. Both are enforced by the Information Commissioner's Office (ICO). Both can affect your website. But they cover different things, and understanding the difference matters because the ICO enforces them differently.

What the GDPR covers

The UK GDPR (which is the retained EU GDPR as amended by the Data Protection Act 2018) is a broad law that governs how organisations process personal data. "Personal data" means any information that can identify a living person — names, email addresses, IP addresses, location data, browsing behaviour, and more.

The GDPR sets out several key requirements:

Lawful basis for processing. You need a valid legal reason to process personal data. For most websites, this is either consent, legitimate interests, or contractual necessity.
Transparency. You must tell people what data you collect, why, how long you keep it, and who you share it with. This is typically done through a privacy policy.
Data subject rights. Individuals have the right to access their data, have it corrected, have it deleted, object to processing, and request data portability.
Data protection principles. Data must be processed fairly, collected for specified purposes, kept accurate, and not kept longer than necessary.
Security. You must have appropriate technical and organisational measures to protect personal data.
Breach notification. If personal data is breached, you must notify the ICO within 72 hours and, in some cases, notify the affected individuals.

The GDPR is broad. It applies to everything from customer databases to employee records to website analytics. If you process personal data in any form, the GDPR applies to you.

What PECR covers

PECR is much more specific. It implements the EU ePrivacy Directive in UK law and focuses on a narrow set of topics related to electronic communications:

Cookies and tracking technologies. PECR requires that you obtain informed consent before storing or accessing information on a user's device. This covers cookies, local storage, fingerprinting, and similar technologies. The only exception is for cookies that are "strictly necessary" for the service the user has requested.
Electronic marketing. PECR requires consent before sending marketing emails, text messages, or making marketing calls to individuals. This is where the "soft opt-in" rule applies for existing customers.
Spam. PECR prohibits sending unsolicited electronic messages for direct marketing purposes without consent.
Communications security. PECR requires that public electronic communications services are provided with appropriate security measures.
Traffic and location data. PECR sets rules about how communications providers handle traffic data and location data.

Notice what is not on that list: the broad handling of personal data. PECR does not tell you how to manage your customer database, how long to keep records, or what rights individuals have over their data. That is GDPR territory. PECR is specifically about electronic communications — how you contact people and how you track them online.

Where they overlap: cookies

The reason most website owners get confused about GDPR and PECR is cookies. Cookies sit right at the intersection of both laws, and here is why:

Tracking cookies collect information about a user's browsing behaviour. That browsing behaviour is personal data (it can identify or contribute to identifying a person). So the GDPR applies because you are processing personal data. You need a lawful basis, and for most tracking cookies, that lawful basis is consent.

At the same time, cookies are stored on a user's device. PECR specifically regulates storing information on a user's device and requires informed consent before doing so (unless the cookie is strictly necessary).

So for cookies, both laws apply simultaneously. You need GDPR consent (lawful basis for processing the personal data that cookies collect) and PECR consent (permission to store information on the user's device). In practice, a compliant cookie consent banner satisfies both requirements at the same time.

Why PECR is what actually gets you fined for cookies

Here is the important practical point: when the ICO fines a company for cookie consent failures, it almost always uses PECR, not the GDPR.

This is because PECR has specific, clear rules about cookies. The rule is simple: do not set non-essential cookies without informed consent. The GDPR is broader and more general — it talks about lawful bases and data processing principles rather than giving specific cookie rules.

PECR's maximum fine is £500,000. The GDPR's maximum fine is £17.5 million or 4% of global turnover. But for cookie-related violations, the ICO has consistently used PECR as the legal basis for enforcement. It is the more precise tool for the job.

This does not mean the GDPR is irrelevant to cookies. If you suffer a data breach that involves cookie data, or if your privacy policy fails to disclose your cookie usage, the ICO could take action under the GDPR. But for the cookie consent mechanism itself — the banner, the timing, the reject option — PECR is the law that matters.

The ePrivacy Directive connection

PECR exists because the EU passed the ePrivacy Directive (Directive 2002/58/EC, later amended by Directive 2009/136/EC). Member states were required to implement this directive into their national law. The UK did so through PECR.

After Brexit, PECR continues to apply as retained EU law. The UK government has discussed replacing it with a new "UK ePrivacy" framework, but as of 2026, no replacement has been enacted. PECR remains the law of the land.

The EU itself is working on the ePrivacy Regulation, which would replace the ePrivacy Directive across EU member states. This would introduce stricter rules and higher fines. However, as the UK is no longer an EU member state, this regulation would not directly apply here. That said, UK businesses that serve EU customers may still need to comply with whatever the EU adopts.

Practical implications for UK businesses

For most UK small businesses, the distinction between GDPR and PECR matters in two practical ways:

1. Know which law covers what. If you are worried about your cookie banner, that is PECR. If you are worried about your customer database and privacy policy, that is GDPR. If you are worried about sending marketing emails, that is both — PECR for the consent to send, GDPR for how you handle the data.

2. Understand the enforcement risk. The ICO is actively auditing websites for cookie consent compliance under PECR. If your cookie banner is non-compliant, you are at risk of a PECR enforcement action. If your overall data handling is poor, you are at risk of a GDPR enforcement action. Both carry significant fines.

What to check on your website

Compliance with both laws is not complicated, but it does require attention. Here is a quick checklist:

Do you have a cookie consent banner that meets PECR requirements? (Reject option as prominent as accept, no pre-ticked categories, no cookies set before consent.)
Do you have a privacy policy that meets GDPR requirements? (What data you collect, why, how long you keep it, who you share it with, how people can exercise their rights.)
If you send marketing emails, do you have consent under PECR and a lawful basis under GDPR?
Can you respond to data subject access requests within the GDPR's 30-day deadline?
Do you have appropriate security measures to protect the personal data you hold?

If you are not sure where your website stands, a free PulseShield scan checks for cookie consent issues, missing security headers, exposed files, and other problems in about 30 seconds. It will not catch every GDPR issue, but it will flag the most common website compliance problems that the ICO looks for.