Shared AI pipeline + prompt store
Same drafting and grounding engine and same governed prompt store that powers DPIA drafting and risk extraction. Prompts are versioned and role-gated.
PECR · ePrivacy · Direct marketing
Screen direct marketing, ePrivacy and consent evidence before a campaign goes out. Acompli reads the outbound artefact, flags issues against Ireland and UK rules, and routes the result to a human reviewer. AI screens; a person decides.
PECR & ePrivacy answer
Yes. In Ireland, Regulation 13 of S.I. 336/2011 — the ePrivacy Regulations enforced by the Data Protection Commission (DPC) — requires consent before sending unsolicited electronic marketing to individual subscribers, unless the ‘existing customer’ exemption applies. The UK mirrors this under PECR Regulation 22, enforced by the ICO.
Both run alongside the GDPR, so you need a consent or soft-opt-in record for the send and a lawful basis for the data. The DPC has brought prosecutions for unlawful electronic marketing, so the evidence record is what defends it. Acompli assembles that record per message — classification, recipient type, consent or soft-opt-in evidence, and the reviewer's decision — on the platform's immutable audit log.
Key takeaways
Ireland vs UK
Both regimes let you market similar products or services to existing customers without fresh consent on the same four conditions (set out in the takeaways above). What teams must document is the regime name, the citation, and how each regulator interprets ‘similar’ and customer recency.
Acompli captures evidence of each condition against the reviewed message and records which regime (DPC or ICO) it was assessed under. Cross-border transfer questions raised by a campaign link to Transfer Impact Assessments.
Last reviewed: 10 June 2026. PECR & ePrivacy requirements guide for Ireland and the UK.
Primary sources
PECR compliance software
PECR compliance software screens outbound electronic marketing against the ePrivacy marketing rules — Ireland’s S.I. 336/2011 (enforced by the DPC) and the UK’s PECR Regulation 22 (enforced by the ICO) — and records the consent, soft-opt-in or legitimate-interests evidence for each send so a campaign is defensible before it ships. Acompli reads the actual outbound artefact, scores it deterministically against weighted marketing flags, and routes the result to a DPO-and-above reviewer: AI screens, a person decides.
What to look for in PECR compliance software
Acompli PECR review is available as part of the Acompli platform; pricing depends on review volume, the surfaces you cover (Teams, Slack, web) and integrations. See Acompli pricing.
Acompli's classifier is pure code grounded in Ireland's S.I. 336/2011 rules and the UK ICO's Direct Marketing Guidance — no persistence, no autonomous action. A separate review service routes the scored artifact and recommended action into a DPO-and-above queue.
Supports DOCX, XLSX, PDF, HTML, EML, TXT, and images via a vision pass — so scanned campaigns, screenshots, and multi-format mailers all go through the same evaluation, not just plain text. Acompli keeps the reviewed artefact attached to the determination, so the message on record is the message that was assessed.
Deterministic scoring against the Regulation 22 / S.I. 336/2011 taxonomy — direct-marketing indicators, suppression signals, identification and unsubscribe presence, soft opt-in / existing- customer evidence triggers. The score is reproducible; the classification is auditable.
Acompli's pure classifier returns a recommended action (approve, approve with conditions, escalate to DPO) and the contributing flags. It does not persist a verdict and does not send or block a campaign.
A separate review service routes the scored artifact and the recommended action into a review workflow. The workflow is gated by the same identity, legal-entity, and business-unit RBAC that gates the rest of the platform — only authorised reviewers can decide.
The reviewer's decision (and the reasoning) is written to the same immutable audit log that captures every other governance decision across the platform. PECR review work appears in the same estate rollup as DPIAs, RoPA, and risks.
Acompli supports the review workflow; it does not interface with email-service-provider send queues to physically block a campaign. The DPO's decision is the control — operationalised through the campaign workflow your marketing team already runs.
On the shared spine
Acompli's Communication Review runs on the same AI pipeline and prompt store as the rest of the platform, persists into the same org-scoped store, and the review workflow is gated by the same unified authentication, RBAC, and legal-entity scoping used across DSAR, RoPA, and assessments.
Same drafting and grounding engine and same governed prompt store that powers DPIA drafting and risk extraction. Prompts are versioned and role-gated.
The review queue is scoped by identity, legal entity, and business unit. A reviewer sees only the artifacts their scope permits — identical predicate to the rest of the platform.
Reviewer decisions land on the same immutable audit log as every other governance action — visible in the same reporting and analytics rollup as DPIAs, RoPA, and risks.
Legitimate-interests assessments and soft-opt-in / existing- customer condition evidence captured against a reviewed message become part of the campaign's record — citeable in any subsequent DPC or ICO query, and feed the same data protection risk register tracked in privacy risk management software.
PECR FAQ
Regulatory signals
Selected GDPR, PECR, and ePrivacy news from acompli.ie — ICO and DPC enforcement, ePrivacy Regulation progress, cookie-and-consent guidance, and direct-marketing rulings.
The Irish High Court has upheld the Data Protection Commission's €530 million fine against TikTok over the transfer of EEA user data to China and related transparency failures, confirming one of the largest GDPR penalties on record while allowing a narrow appeal on the size of the fine to proceed.
Read update →Novo Nordisk has disclosed a security incident in which attackers copied personal data from internal systems, including pseudonymised clinical trial data covering biomarkers and lifestyle factors, and directly identifying information about healthcare professionals - a breach that illustrates the layered sensitivity of health-sector data.
Read update →A compromise of market intelligence platform Klue allowed attackers to steal OAuth tokens connecting customer Salesforce environments, exposing business data across numerous organisations including Tanium, Gong, Huntress, and LastPass - a textbook SaaS supply-chain attack built on a forgotten legacy credential.
Read update →AI-screened, DPC/ICO-grounded, human-approved review of outbound direct marketing — landing on the same audit log as every other governance decision.