The UK’s Data (Use and Access) Act 2025 (DUAA) ushers in the biggest shift to direct-marketing enforcement in years. The headline: maximum penalties for PECR breaches (think unlawful email/SMS, telemarketing, and cookies/tracking) are being lifted from £500,000 to UK-GDPR levels – up to £17.5m or 4% of global turnover, whichever is higher.
Alongside the higher caps, the ICO is refreshing its cookies and “storage and access technologies” guidance to reflect the DUAA, including a new chapter on exceptions (when consent may not be required). A public consultation is open, with changes expected to inform enforcement in the months ahead.
Quick background: PECR vs UK GDPR (and why this matters)
PECR (the Privacy and Electronic Communications Regulations) governs electronic marketing and device-level tracking (cookies, SDKs, similar tech). UK GDPR governs the processing of personal data more broadly (lawful bases, transparency, rights, etc.).
Historically, PECR fine caps were lower – max £500k – even though many practical marketing risks live under PECR (for example, email consent rules and cookie banners). DUAA changes that imbalance by aligning PECR fines with UK GDPR. In short: the things marketers do most often now carry the same penalty ceiling as major data-protection breaches.
The DUAA is being phased in between June 2025 and June 2026, with multiple commencement regulations. Organisations should track commencement dates and ICO materials to time policy and UI updates.
What’s actually changing (in plain English)
- Fine caps: PECR penalties will now be able to reach £17.5m or 4% worldwide turnover (whichever is higher), instead of the previous £500k ceiling. Expect tougher consequences for egregious or repeated violations – such as spam campaigns, ignoring opt-outs, or manipulative cookie banners.
- ICO’s standing: The regulator (soon to be the re-structured Information Commission) is gaining investigative powers to demand documents and interviews, strengthening its ability to act on non-compliance quickly.
- Cookie guidance refresh: The ICO’s draft “Storage and Access Technologies” guidance adds an exceptions chapter reflecting the DUAA, clarifying when certain analytics or low-risk uses might not need consent. Don’t confuse this with a free pass – many scenarios, such as ad tracking and cross-site profiling, will still require consent.
Impact on email marketing (B2C and B2B)
- Consent and soft opt-in discipline
For B2C, PECR generally requires prior consent for unsolicited email or SMS unless the soft opt-in applies (existing customer, similar products/services, easy opt-out at collection and in every send). Sloppy use of the soft opt-in is where many businesses trip up. For B2B, the rules are more permissive, but you must still identify yourself, offer an opt-out in every message, and honour suppressions. With higher fines in play, evidence of consent or a valid soft opt-in, plus robust suppression hygiene, becomes non-negotiable. - Deliverability requirements tighten the screws
In parallel, the big mailbox providers are enforcing stricter sender standards (SPF/DKIM/DMARC, one-click unsubscribe, low spam-complaint rates). While this isn’t PECR itself, non-compliance will tank deliverability – and poor list hygiene that triggers complaints can also bring regulatory attention if consent foundations are weak. Treat technical standards as part of your compliance stack, not just deliverability. - Record-keeping becomes a moat
If you can’t prove consent or a valid soft opt-in (time/date, source, wording shown, purpose, and the chain of custody to your ESP), you’re vulnerable. Under higher caps, missing audit trails for a high-volume mailer is a serious risk, especially if complaints spike.
Impact on cookies, analytics and tracking
The ICO’s refreshed draft clarifies exceptions to consent for certain “storage/access” scenarios post-DUAA. Expect nuances – for example, strictly necessary operations or some low-risk first-party analytics – but many marketing uses, such as ad tracking, cross-site profiling and retargeting, will still require consent. Relying on a blanket “legitimate interests” stance for cookies won’t cut it. Your banner language, consent UI, and vendor configuration need to reflect the new guidance once finalised.
Enforcement outlook: what to expect
- Bigger cases, sharper tools: With penalty ceilings aligned and powers strengthened, expect the ICO to prioritise high-impact conduct such as mass unsolicited communications, ignoring opt-outs, and manipulative consent flows.
- Cookies remain hot: The ICO has repeatedly signalled focus on cookies and online tracking. The consultation suggests the rules are being tightened and clarified, not relaxed.
- Proportionate but firm: The ICO says it uses powers in a targeted and proportionate way. That typically means guidance first, then enforcement where organisations won’t engage or keep repeating mistakes. Don’t be the repeat offender.
What to do this quarter (practical checklist)
- Re-validate your PECR basis for every send type
Map B2C vs B2B flows; confirm where consent applies and when the soft opt-in is valid. Store the evidence and make your unsubscribe one-click and prominent. - Tighten suppression hygiene
Sync suppressions across all platforms (ESP, CRM, helpdesk, sales tools). Suppress at the person level, not just the list. Test the journey – unsubscribe, re-subscribe, preferences. - Harden your sender setup
Ensure SPF/DKIM/DMARC alignment on all domains, implement List-Unsubscribe (header + visible in body), monitor complaint rates, and authenticate click-tracking domains. - Refresh cookie banners and policies
Inventory every tag or SDK. Categorise them (strictly necessary vs consent-requiring). Update your CMP so non-essential tools don’t fire without consent. Prepare for the ICO’s final wording on exceptions and keep your policy text in lock-step. - Vendor governance
Re-paper high-risk ad/measurement partners; require consent signals before activation. Make sure your contracts reflect PECR responsibilities and DUAA changes. - Evidence ready-pack
Build a lightweight pack your team can produce in hours: consent logs, suppression policies, cookie configuration exports, and screenshots of your consent flows. If the ICO asks, you have it ready.
For boards and non-marketing stakeholders
The larger fines change the risk calculus. Direct-marketing and tracking practices now carry strategic (not just operational) risk. Budgeting for compliance work – data quality, consent UX, CMP upgrades, suppression automation – is a cost-avoidance play against seven- or eight-figure exposure. Keep a simple risk register with owners and dates, aligned to the DUAA commencement timetable.
Where TDP can help
- Data quality & suppression: We run free audits to spot consent gaps, stale data, and suppression sync issues before they bite.
- PECR-savvy campaign setup: From B2C consent to B2B opt-out flows, list-unsubscribe, and cookie-aware landing pages, we’ll help you ship campaigns that perform and pass scrutiny.