PECR and ePrivacy Requirements for Cookies and Electronic Marketing in Ireland and the UK
Cookies and electronic marketing are governed by ePrivacy rules that sit alongside the GDPR: in the UK by PECR (enforced by the ICO) and in Ireland by S.I. 336/2011 (enforced by the DPC). This guide compares the two regimes, sets out the consent and soft opt-in conditions, and flags the 2026 reforms.

- Who it binds: anyone setting or accessing information on a user's device (cookies and similar technologies) and anyone sending direct electronic marketing by email, SMS, automated calls or fax.
- Who enforces: the ICO in the UK and the DPC in Ireland. Each can investigate, audit and act on complaints.
- How the GDPR connects: the ePrivacy rules govern the act of setting cookies or sending the message; the GDPR governs the personal data processed once that data is in scope. You generally need to satisfy both.
- Territorial reach: marketing aimed at users in the UK engages PECR; marketing aimed at users in Ireland engages S.I. 336/2011, regardless of where the sender is established.
- Consent must be obtained before non-essential cookies are set, not after the page has loaded and already dropped them.
- Rejecting cookies must be as easy as accepting them; a prominent 'Accept all' with a buried or multi-click 'Reject' is a common compliance failure.
- You must give granular control by purpose (for example analytics versus advertising), not a single all-or-nothing switch.
- The strictly-necessary exemptions cover technical necessity only. 'We need analytics to run our business' has not historically qualified as strictly necessary under either regime.
- The UK's new February 2026 cookie exemptions are separate from the strictly-necessary test and do not apply in Ireland; advertising and cross-site tracking cookies still need consent in both jurisdictions.
- Consent should be refreshed periodically and is not a one-time, indefinite permission.
- You obtained the contact details directly from the person in the course of a sale or negotiations for a sale of a product or service.
- You are marketing your own similar products or services only (not unrelated lines, and not third-party marketing).
- The person was given a simple, free means to opt out when their details were collected, and is given that opportunity in every subsequent message.
- Ireland (Regulation 13(11)) sets a 12-month limit: the soft opt-in applies only where the sale, or the last compliant marketing message the person did not opt out of, occurred within the previous 12 months, after which fresh consent is needed.
- Corporate subscribers: marketing to individual employees at named corporate email addresses still attracts opt-out and identification duties; the soft opt-in is designed for individual-subscriber relationships, and most B2B email instead relies on documented legitimate interests under the GDPR or UK GDPR.
| Ireland — DPC (S.I. 336/2011) | UK — ICO (PECR 2003) |
|---|---|
| Regulator: Data Protection Commission (DPC). | Regulator: Information Commissioner's Office (ICO). |
| Cookies: Regulation 5 — consent required for non-essential cookies; only the strictly-necessary exemption applies and it is read narrowly. | Cookies: Regulation 6 — consent required, but with new statutory exemptions (e.g. first-party aggregate analytics, security, functionality, software updates) from 5 Feb 2026 under the DUA Act 2025. |
| Marketing: Regulation 13 — opt-in default; soft opt-in capped at 12 months from the sale or last compliant marketing message (Reg 13(11)). | Marketing: Regulation 22 — opt-in default; soft opt-in with no fixed statutory time limit (the ICO advises a reasonable period). |
| Consent standard: EU GDPR (Regulation (EU) 2016/679) definition. | Consent standard: UK GDPR definition. |
| Penalties: primarily criminal prosecution — a class A fine (up to €5,000) per offence on summary conviction, and on indictment up to €250,000 for a body corporate or up to €50,000 for an individual; each message can be a separate offence. | Penalties: administrative fines up to £17.5m or 4% of global turnover, whichever is higher (raised from £500,000 by the DUA Act 2025, in force 5 Feb 2026). |
| Soft opt-in scope: commercial existing-customer relationships; no general charity/non-commercial soft opt-in. | Soft opt-in scope: extended by the DUA Act 2025 (from 5 Feb 2026) to allow charities to use a soft opt-in for charitable purposes. |
| Wider relevance: DPC is lead authority for major platforms established in Ireland, so its positions carry EU-wide weight. | Wider relevance: ICO guidance is the reference point post-Brexit and is now diverging from the EU on cookies. |
- Cookies firing before consent: tags load on page render, so non-essential cookies are set before the banner is answered.
- Asymmetric banners: 'Accept all' is one click but 'Reject' takes several, which fails the 'as easy to refuse as to accept' standard.
- Treating the GDPR lawful basis as sufficient: relying on legitimate interests for marketing emails or analytics cookies without meeting the ePrivacy consent or soft opt-in conditions.
- Stretching the soft opt-in: marketing unrelated products, to non-customers, or in Ireland beyond the 12-month window.
- No unsubscribe in every message, or an unsubscribe that is not simple and free.
- Applying one cookie configuration globally: assuming the UK's post-February-2026 analytics exemption also applies to Irish or wider EU users, where consent is still required.
- Failing to keep evidence: no consent records, no banner version history, and no audit trail of who approved the marketing list and on what basis.
- Maintain a current cookie and tracker inventory mapped to purpose, provider and the consent basis or exemption relied on.
- Keep consent and soft opt-in evidence: what was shown, when, what the user chose, and the source of each marketing contact.
- Run geo-aware banner configuration so UK exemptions are not applied to Irish or wider EU users.
- Version-control your banner and preference centre so you can show what a user saw at any point in time.
- Build a human review and approval step into every marketing campaign and cookie-configuration change.
Where Acompli fits for PECR and ePrivacy
Best for teams operating across Ireland and the UK where cookie and marketing rules now diverge: Acompli keeps the cookie inventory, consent basis or exemption, soft opt-in evidence, banner version and reviewer decision in one audit-ready record. It flags configurations that look misaligned with the UK or Irish regime and routes them for human review, so a UK-only analytics exemption is not accidentally applied to Irish or wider EU users.
See Acompli PECR and ePrivacy review
Primary sources
- UK PECR — Privacy and Electronic Communications (EC Directive) Regulations 2003 (legislation.gov.uk)
- Ireland S.I. 336/2011 — ePrivacy Regulations (Irish Statute Book)
- ICO — Guide to PECR (Privacy and Electronic Communications Regulations)
- DPC — Rules for Direct Electronic Marketing
- ICO — Guidance on the use of storage and access technologies (cookies)
- UK Data (Use and Access) Act 2025 (legislation.gov.uk)
- EU ePrivacy Directive 2002/58/EC (EUR-Lex)