PECR and ePrivacy Requirements for Cookies and Electronic Marketing in Ireland and the UK

What are PECR and the ePrivacy rules, and where do they apply?

Cookies and direct electronic marketing are governed by ePrivacy rules that apply on top of the GDPR: in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR, S.I. 2003/2426), enforced by the Information Commissioner's Office (ICO), and in Ireland by the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. 336/2011), enforced by the Data Protection Commission (DPC). Both transpose the EU ePrivacy Directive (2002/58/EC, as amended) and both borrow the GDPR or UK GDPR definition of consent.

The practical point for any organisation marketing into Ireland and the UK is that the GDPR is necessary but not sufficient. You can have a lawful basis under the GDPR and still breach the ePrivacy rules if you set non-essential cookies without valid consent, or send marketing emails, texts or automated calls without the right permission. ePrivacy is the more specific regime (lex specialis) for cookies and electronic communications, so where it applies, it governs.

This guide compares the two regimes side by side: when cookie consent is required, when the existing-customer soft opt-in lets you market without prior consent, who enforces and how hard, and what the 2026 reforms (the UK Data (Use and Access) Act 2025 and the EU Digital Omnibus proposal) change.

Is ePrivacy compliance a legal obligation in Ireland and the UK?

Yes. ePrivacy compliance is a statutory obligation in both jurisdictions, separate from and additional to the GDPR. It is not optional best practice, and consent obtained for one purpose does not automatically satisfy the other.

Crucially, the standard of consent is the GDPR standard. Both the ICO and the DPC read 'consent' in their ePrivacy rules by reference to the GDPR / UK GDPR definition: a freely given, specific, informed and unambiguous indication of the user's wishes, given by a clear affirmative action. Pre-ticked boxes, implied consent from continued browsing, and 'by using this site you agree' notices do not meet that standard.

• Who it binds: anyone setting or accessing information on a user's device (cookies and similar technologies) and anyone sending direct electronic marketing by email, SMS, automated calls or fax.
• Who enforces: the ICO in the UK and the DPC in Ireland. Each can investigate, audit and act on complaints.
• How the GDPR connects: the ePrivacy rules govern the act of setting cookies or sending the message; the GDPR governs the personal data processed once that data is in scope. You generally need to satisfy both.
• Territorial reach: marketing aimed at users in the UK engages PECR; marketing aimed at users in Ireland engages S.I. 336/2011, regardless of where the sender is established.

Cookie consent: Regulation 6 (UK) and Regulation 5 (Ireland)

The cookie rule started from the same place in both jurisdictions: you must not store information on, or gain access to information already stored on, a user's device unless the user has given consent, having been provided with clear and comprehensive information about the purposes. In the UK this is Regulation 6 of PECR; in Ireland it is Regulation 5 of S.I. 336/2011.

Both regimes originally contained the same two narrow exemptions, so that consent is not required where the cookie or similar technology is either strictly necessary to transmit a communication, or strictly necessary to provide a service the user has explicitly requested. The exemption is read narrowly. A shopping-cart or login-session cookie is typically exempt; analytics, advertising, social-media and personalisation cookies have not historically been treated as strictly necessary and require consent.

From 5 February 2026 the UK position diverged: the Data (Use and Access) Act 2025 added new statutory exemptions to Regulation 6 for certain low-risk purposes, so some cookies that previously needed consent (notably first-party aggregate analytics) no longer do, subject to transparency and an opt-out. Ireland's Regulation 5 has not changed, so the same cookies still require consent for Irish users. The two cookie regimes should now be treated as related but no longer identical.

• Consent must be obtained before non-essential cookies are set, not after the page has loaded and already dropped them.
• Rejecting cookies must be as easy as accepting them; a prominent 'Accept all' with a buried or multi-click 'Reject' is a common compliance failure.
• You must give granular control by purpose (for example analytics versus advertising), not a single all-or-nothing switch.
• The strictly-necessary exemptions cover technical necessity only. 'We need analytics to run our business' has not historically qualified as strictly necessary under either regime.
• The UK's new February 2026 cookie exemptions are separate from the strictly-necessary test and do not apply in Ireland; advertising and cross-site tracking cookies still need consent in both jurisdictions.
• Consent should be refreshed periodically and is not a one-time, indefinite permission.

Electronic marketing: Regulation 22 (UK) and Regulation 13 (Ireland)

Direct electronic marketing to individuals generally requires prior consent in both jurisdictions. In the UK, Regulation 22 of PECR governs marketing by electronic mail (which includes email and SMS); in Ireland, Regulation 13 of S.I. 336/2011 governs unsolicited communications by email, SMS, automated calling and fax. The default rule is opt-in.

The major exception is the existing-customer 'soft opt-in'. It lets an organisation market to people who are already customers without prior consent, provided strict conditions are met. The conditions are closely aligned across the two regimes, but Ireland sets an explicit 12-month time limit (Regulation 13(11)) and the UK does not.

• You obtained the contact details directly from the person in the course of a sale or negotiations for a sale of a product or service.
• You are marketing your own similar products or services only (not unrelated lines, and not third-party marketing).
• The person was given a simple, free means to opt out when their details were collected, and is given that opportunity in every subsequent message.
• Ireland (Regulation 13(11)) sets a 12-month limit: the soft opt-in applies only where the sale, or the last compliant marketing message the person did not opt out of, occurred within the previous 12 months, after which fresh consent is needed.
• Corporate subscribers: marketing to individual employees at named corporate email addresses still attracts opt-out and identification duties; the soft opt-in is designed for individual-subscriber relationships, and most B2B email instead relies on documented legitimate interests under the GDPR or UK GDPR.

DPC (Ireland) vs ICO (UK): a side-by-side comparison

The two regimes are closely aligned on substance but diverge sharply on enforcement mechanics and, since 5 February 2026, on cookie consent exemptions. The table below summarises the differences that matter most when you operate across both.

Penalties and enforcement: how the two regimes bite differently

The biggest practical divergence is in penalties. In the UK, the Data (Use and Access) Act 2025 lifted the old £500,000 PECR cap and aligned it with the UK GDPR regime: from 5 February 2026 the ICO can impose administrative fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, for the most serious PECR breaches. That materially raises the stakes for cookie and marketing failures in the UK.

In Ireland, the DPC does not levy administrative fines for ePrivacy breaches under S.I. 336/2011 in the way it does for GDPR breaches. Instead, breaches are criminal offences that the DPC prosecutes through the courts. On summary conviction the penalty is a class A fine, which under the Fines Act 2010 is a fine of up to €5,000 per offence. On conviction on indictment the fine can be up to €250,000 for a body corporate, or up to €50,000 for a natural person, per offence. Because each non-compliant message can be charged as a separate offence, a single bulk send can multiply quickly, and a prosecution carries reputational and director-level consequences beyond the headline figure.

In both countries, complaints and regulator sweeps are the usual trigger. The point is that 'we used the GDPR lawful basis of legitimate interests' is not a defence to an ePrivacy marketing or cookie breach: the specific consent and soft opt-in conditions still have to be met.

Common pitfalls when complying across both jurisdictions

Most ePrivacy failures are operational rather than conceptual. The rules are well known; the gaps appear in implementation and in assuming the two regimes are identical.

• Cookies firing before consent: tags load on page render, so non-essential cookies are set before the banner is answered.
• Asymmetric banners: 'Accept all' is one click but 'Reject' takes several, which fails the 'as easy to refuse as to accept' standard.
• Treating the GDPR lawful basis as sufficient: relying on legitimate interests for marketing emails or analytics cookies without meeting the ePrivacy consent or soft opt-in conditions.
• Stretching the soft opt-in: marketing unrelated products, to non-customers, or in Ireland beyond the 12-month window.
• No unsubscribe in every message, or an unsubscribe that is not simple and free.
• Applying one cookie configuration globally: assuming the UK's post-February-2026 analytics exemption also applies to Irish or wider EU users, where consent is still required.
• Failing to keep evidence: no consent records, no banner version history, and no audit trail of who approved the marketing list and on what basis.

2026 regulatory developments: divergence on both sides

The UK and the EU are reforming ePrivacy at the same time but in different directions, so cross-border organisations should expect the two cookie regimes to drift apart rather than converge.

United Kingdom — Data (Use and Access) Act 2025: the Act received Royal Assent on 19 June 2025, and its main data protection and PECR provisions were commenced on 5 February 2026 (by SI 2026/82), with further obligations (such as the new data protection complaints procedure) following from 19 June 2026. From 5 February 2026 it introduced new statutory exemptions to PECR cookie consent, so that certain low-risk uses (for example first-party aggregate statistical analytics, and security, functionality and software-update purposes) no longer require consent, provided users are given clear information and, where relevant, a simple, free way to object. Advertising and cross-site tracking cookies remain outside the exemptions and still need consent. The same day, the Act extended the soft opt-in so that charities can use it for charitable purposes, and raised the PECR fine ceiling to UK GDPR levels. The ICO published updated guidance on the use of storage and access technologies to reflect these changes.

European Union — Digital Omnibus proposal: in November 2025 the European Commission published the Digital Omnibus, a proposal to simplify the EU digital rulebook. As proposed, it would move core cookie rules out of the ePrivacy Directive and into the GDPR (via a new Article 88a) and provide for machine-readable consent, refusal and objection signals (Article 88b), alongside broader exemptions for purposes such as first-party audience measurement, security and user-requested services. This is only a proposal and is not in force; it is expected to move through the Parliament and Council during 2026 and could change substantially. Until it is adopted and any resulting changes take effect, Ireland's S.I. 336/2011 and the existing consent standard continue to apply unchanged.

The net effect for 2026: a UK organisation may lawfully run certain first-party analytics cookies without consent, while the same cookies for Irish or EU users still require consent until any EU reform takes effect. Geo-aware cookie configuration is becoming a practical necessity rather than a refinement.

Building an audit-ready ePrivacy programme across Ireland and the UK

Audit readiness for ePrivacy is about producing evidence on demand: that non-essential cookies fire only after consent (or fall within an applicable exemption), that consent and soft opt-in conditions were met, and that your configuration reflects each jurisdiction's current rules. A defensible programme ties the cookie inventory, consent records, marketing-list provenance and banner configuration together so they can be shown to the DPC or the ICO without a scramble.

Acompli's ePrivacy and PECR review supports this work in an assistive role. The software helps inventory cookies and trackers, drafts and classifies consent and marketing records, flags where a configuration looks misaligned with the relevant regime, and routes findings for review. It surfaces and organises evidence so a person can check it; it does not make autonomous legal determinations. A DPO, privacy lead or lawyer reviews and approves the output, and Acompli does not replace that human judgement. Where the GDPR record-keeping side overlaps, the same source evidence can feed your record of processing activities.

• Maintain a current cookie and tracker inventory mapped to purpose, provider and the consent basis or exemption relied on.
• Keep consent and soft opt-in evidence: what was shown, when, what the user chose, and the source of each marketing contact.
• Run geo-aware banner configuration so UK exemptions are not applied to Irish or wider EU users.
• Version-control your banner and preference centre so you can show what a user saw at any point in time.
• Build a human review and approval step into every marketing campaign and cookie-configuration change.

Primary sources

• UK PECR — Privacy and Electronic Communications (EC Directive) Regulations 2003 (legislation.gov.uk)
• Ireland S.I. 336/2011 — ePrivacy Regulations (Irish Statute Book)
• ICO — Guide to PECR (Privacy and Electronic Communications Regulations)
• DPC — Rules for Direct Electronic Marketing
• ICO — Guidance on the use of storage and access technologies (cookies)
• UK Data (Use and Access) Act 2025 (legislation.gov.uk)
• EU ePrivacy Directive 2002/58/EC (EUR-Lex)

PECR and ePrivacy FAQ for Ireland and the UK