GDPR vs PECR: What's the Difference?

QUICK ANSWER

GDPR governs how you collect, store, and process personal data. PECR governs how you use cookies, send marketing emails, and handle electronic communications. They overlap but cover different areas: GDPR needs a privacy policy and lawful basis for processing; PECR needs cookie consent and applies to direct marketing by email, phone, and text.

If you run a website in the UK, you need to comply with both GDPR and PECR. They're separate regulations that cover overlapping but distinct areas of data protection. Confusing the two is one of the most common compliance mistakes small businesses make.

Here's a clear breakdown of what each one covers and how they work together.

What is GDPR?

The General Data Protection Regulation (GDPR) is the UK's primary data protection law, retained after Brexit as the UK GDPR. It governs how organisations collect, store, process, and share personal data. "Personal data" means any information that can identify a living individual — names, email addresses, IP addresses, cookie identifiers, and more.

GDPR requires you to:

Have a lawful basis for every data processing activity (consent, contract, legitimate interests, etc.)
Publish a clear privacy policy explaining your data processing
Respect individual rights: access, erasure, portability, objection
Report certain data breaches to the ICO within 72 hours
Keep records of your processing activities
Implement appropriate security measures

GDPR applies to any organisation that processes personal data of UK residents, regardless of where the organisation is based. It's broad in scope and covers everything from customer databases to website analytics.

What is PECR?

The Privacy and Electronic Communications Regulations (PECR) sit alongside GDPR and deal specifically with electronic communications. PECR covers three main areas:

Cookies and tracking technologies — you must obtain consent before setting non-essential cookies or similar tracking
Electronic marketing — rules for sending emails, texts, and making marketing calls
Communications security — requirements for the security of public electronic communications services

PECR implements the EU ePrivacy Directive in UK law. It's more specific than GDPR and focuses on the privacy of communications rather than general data protection.

Where Do They Overlap?

GDPR and PECR overlap most significantly around consent. Both require consent for certain activities, but they approach it differently:

GDPR consent must be freely given, specific, informed, and unambiguous. It applies to all personal data processing where consent is your lawful basis.
PECR consent specifically applies to cookies and electronic marketing. The standard is broadly the same (it must meet GDPR standards), but PECR is the specific regulation that requires cookie consent banners.

Both regulations are enforced by the Information Commissioner's Office (ICO) in the UK. The ICO can investigate breaches of either regulation and issue fines.

Practical Implications for Websites

For most small business websites, here's what compliance with both regulations looks like in practice:

Because of GDPR, you need:

A comprehensive privacy policy
A lawful basis for every form of data collection
Processes for handling data subject requests (access, erasure, etc.)
A data breach response plan
Secure data storage and processing agreements with third parties

Because of PECR, you need:

A cookie consent banner with accept and reject options
No non-essential cookies set before consent is given
Consent before sending marketing emails to individuals (soft opt-in rules apply for existing customers)
A way for people to opt out of marketing communications

Fines Under Each Regime

Both GDPR and PECR carry significant penalties:

GDPR fines: Up to £17.5 million or 4% of annual global turnover, whichever is higher
PECR fines: Up to £500,000 for the most serious breaches — though the UK government has consulted on increasing this to match GDPR levels

In practice, the ICO tends to focus on the most egregious cases. But even smaller fines come with reputational damage and the cost of remediation.

Common Confusion Points

The most frequent misunderstanding is thinking GDPR alone covers cookies. It doesn't — at least not directly. GDPR sets the standard for what counts as valid consent, but PECR is the regulation that specifically requires you to obtain consent before setting cookies.

Another common mistake is assuming that GDPR compliance automatically means PECR compliance. You could have a perfect privacy policy (GDPR) but still be violating PECR if you're setting analytics cookies without a consent banner.

Conversely, having a cookie banner (PECR) doesn't make you GDPR-compliant if your privacy policy is incomplete or you don't have a lawful basis for processing.

Checklist: Compliance with Both

Privacy policy covering all data processing activities (GDPR)
Cookie consent banner with accept and reject options (PECR)
No tracking cookies before consent (PECR)
Lawful basis documented for each processing activity (GDPR)
Consent checkboxes on forms, not pre-ticked (GDPR)
Email marketing only to those who consented or qualify for soft opt-in (PECR)
Unsubscribe link in every marketing email (PECR)
Data breach notification process (GDPR)
Subject access request process (GDPR)
Data processing agreements with third parties (GDPR)

For a full walkthrough of GDPR website requirements, see our GDPR compliance checklist for small businesses. For cookie-specific guidance, see our pages on cookie consent banner requirements and ICO cookie consent requirements.