If you run a business, manage a website, or handle any kind of digital marketing activity, you have likely asked yourself how to stay compliant with the rules that govern online tracking and promotional communication.
Digital marketing feels simple on the surface. You place cookies, send emails, run targeted ads, and reach the audiences you need. In practice, the landscape is more complex. The rules that decide what you can collect, what you can track, and how you can communicate with customers are constantly changing.
Just because you have a website and a set of marketing tools does not mean you have the legal foundations in place to use them. Consent, transparency, legitimate interest, cookie placement rules and marketing permissions all sit within a strict regulatory framework. These requirements apply to businesses of every size, and the penalties for getting them wrong are increasing under the new Data (Use and Access) Act.
This is where a clear understanding of the UK’s regulatory system becomes essential.
As data protection experts, we work closely with organisations that need to reach customers in a compliant, responsible way. The challenge is that the regulations do not stand still. The PECR, the UK GDPR and the new Data (Use and Access) Act have define what counts as valid consent, what counts as direct marketing, and which cookies can be placed without permission. For many teams, these make an already demanding environment harder to navigate.
So what do the data protection regulations say, and how do they affect your marketing activity?
Below, you will find a clear and practical breakdown of the current UK regulations for direct marketing and cookies, including the reforms introduced in 2025, recent ICO enforcement action, and guidance on ensuring your own processes remain compliant.
What Rules and Laws Apply to Cookies in The UK?
In the UK, the rules to keep in mind when thinking about the use of cookies (and other tracking technologies) and direct marketing are contained in a couple of key regulations. These are:
- Privacy and Electronic Communications Regulations 2003 (PECR): Governs the use of cookies, electronic marketing, and related communications.
- UK General Data Protection Regulation (UK GDPR): Provide overarching data protection standards, notably defining the principles of lawful, fair, transparent processing, as well as consent and data subject rights.
- Data (Use and Access) Act 2025 (DUAA): Amends the UK GDPR & PECR to introduce some changes to the rules around the use of cookies and similar technologies.
The PECR and UK GDPR intersect in key areas – particularly where consent for cookies and marketing must meet the UK GDPR standards (freely given, specific, informed, unambiguous, and affirmative).
Reform of PECR: Data (Use and Access) Act 2025
On 19th June 2025, the Data (Use and Access) Act received Royal Assent, introducing some reforms to both UK GDPR and PECR. Key changes include:
- Changes to Fines: The maximum penalty under PECR rises from £500,000 to align with UK GDPR – up to £17.5 million or 4% of global annual turnover.
- Definition of Direct Marketing: A legal definition (mirroring that in the Data Protection Act 2018) has been added to both PECR and UK GDPR, harmonising terminology and enforcement scope.
- Cookie consent requirements: Changes to the existing rules about which categories of cookies need prior consent from the user to be placed, increasing the types of cookies that do not require opt-in consent.
A look at ICO Enforcement Cases
The ICO continues to enforce PECR:
- HelloFresh was fined £140,000 in January 2024 for sending over 80 million marketing emails and SMS messages without valid consent. The consent statement bundled multiple items (free samples, age confirmation) and failed to mention SMS, making it neither specific nor informed.
- SkyBet was reprimanded by the ICO for deploying advertising cookies before the user could consent, breaching the PECR. After the reprimand, SkyBed updated its mechanisms to enable proper rejection of advertising cookies.
- Other penalties include:
- LADH Limited: fined £50,000 for unsolicited SMS marketing without consent and failure to identify the sender clearly.
- Penny Appeal: issued an enforcement notice for sending nearly half a million unsolicited direct marketing messages in 2022 without consent.
- Dr Telemarketing (DRT): penalised £100,000 for unsolicited calls to numbers on the Telephone Preference Service (TPS).
- Outsource Strategies Ltd (OSL): fined £240,000 for making over 1.3 million unsolicited calls to TPS-registered individuals.
These actions underscore the importance of valid consent and adherence to the PECR’s rules. This is particularly important given the changes to fines under the DUAA, as touched on above.
ICO Direct Marketing Guidance
Recent enforcement action from the ICO highlights how closely the regulator is monitoring unlawful direct marketing and non-compliant cookie practices.
Businesses have faced penalties for sending marketing messages without valid consent, placing advertising cookies before users agreed to them, and contacting individuals listed on the TPS. These decisions clarify what the ICO expects from organisations and provide a clear benchmark for compliance. Key themes include:
- Valid, specific and informed consent for all marketing channels,
- Clear identification of the sender in every communication,
- No cookies unlawfully placed before consent,
- Respect for TPS and opt-out registers,
- Strong record-keeping to evidence lawful processing.
These findings underline the need for transparent, well-governed marketing activity.
Clear and Valid Cookie Consent
The RTM case is a watershed—highlighting that consent cannot always be assumed valid if a data subject is in a vulnerable position. Organisations must assess whether individuals are capable of autonomous, informed choices—especially for profiling and direct marketing.
Consent must be unbundled and clear, both for marketing categories and channels (e.g. separate opt-ins for email vs. SMS). Including marketing consent in the general privacy policy or alongside unrelated statements (e.g. age confirmation) will likely fail the test.
Websites must not place non-essential or advertising cookies before obtaining consent. Users should be able to accept or reject cookies from the outset, and be informed what third parties are involved, the duration of the cookie lifespan, and the purposes of data collection.
Increased Cookie Compliance Enforcement
With the Data (Use and Access) Act raising potential fines dramatically, non-compliance now carries a heavier financial risk. Organisations must enhance consent logging, segmentation, and retention strategies, and ensure readiness for complaints under expanded data subject rights, including new complaint procedure duties.
How to navigate the data protection regulation of direct marketing and cookies in the UK
In summary, the UK’s data protection landscape is evolving rapidly:
- Reforms under the Data (Use and Access) Act raise the stakes – aligning PECR fines with GDPR, formalising direct marketing definitions, and reinforcing complaint procedures.
- Key rulings and enforcement actions – from the RTM case to ICO fines for HelloFresh and others—highlight rigorous standards for valid consent, especially in sensitive contexts or involving vulnerable individuals.
- Organisations must move beyond “tick-box” consent approaches. Consent must be informed, granular, unbundled, freely given, and recorded, and should allow for easy withdrawal.
- Transparency around cookies and tracking is no longer optional; prior consent with clear explanations is essential.
- The increased penalties and visibility of enforcement mean organisations simply cannot afford procedural lapses—or risk reputational and financial harm.
Some tips for compliance:
For data protection officers, marketers, and web developers:
- Check your cookie banners and consent mechanisms to ensure adequate consent is sought, and that no tracking begins before consent.
- Review consent collected for marketing purposes – specify purposes, ensure details are used only for those purposes, and make it easy to withdraw.
- Maintain clear consent records and prepare complaint-handling procedures consistent with the new regulatory duties.
As regulation tightens, consent must be more than a checkbox – it must be meaningful, informed, and unambiguous.
Data Protection Regulation of Direct Marketing and Cookies with NormCyber
If your organisation relies on digital marketing, tracking technologies or customer data to reach the right audiences, this is an ideal moment to review your compliance posture. The UK’s regulatory landscape is evolving quickly, and the cost of getting it wrong could be costly.
The team here at NormCyber can help you assess your current marketing and cookie practices, strengthen your consent mechanisms, and ensure your processes meet the latest requirements under PECR, the UK GDPR and the Data (Use and Access) Act.
Get in touch with us to take a more confident, compliant and transparent approach to direct marketing and data protection.
