PECR in the Public Sector: A Practical Guide

If you work in communications or marketing for a public sector organisation, there is a good chance that PECR has caused you some confusion. The Privacy and Electronic Communications Regulations 2003 sit alongside the UK GDPR and govern how organisations can contact people by email, text message, phone and through cookies on their websites. For councils, NHS trusts, housing associations and government bodies running digital services for the public sector, the rules create particular headaches. Not because the regulations are especially harsh on the public sector, but because the line between a service communication and a marketing message is not always obvious. Many public sector comms teams have responded by being overly cautious, avoiding electronic communications altogether or burying useful information behind unnecessary consent walls. That caution is understandable, but it often means residents, patients and service users miss out on information they actually need.

This guide is aimed at public sector marketing and communications teams who want to understand what PECR actually requires, where the common misunderstandings lie and what practical steps will keep your organisation compliant without tying your hands. The ICO has been clear that most public sector messages about service delivery are not direct marketing and understanding that distinction properly is the key to getting this right.

What Is PECR and Why Does It Matter for Public Sector Organisations?

PECR stands for the Privacy and Electronic Communications Regulations 2003. It is a separate piece of legislation from the UK GDPR, though the two work together. While the UK GDPR provides a broad framework for data protection, PECR deals specifically with electronic communications. It covers unsolicited marketing by email, text and phone. It covers the use of cookies and similar tracking technologies. And it covers certain aspects of communications network security and subscriber privacy.

The regulations were originally introduced to implement an EU directive and have been amended several times since 2003. They are enforced by the Information Commissioner’s Office (ICO), which has the power to issue fines for non-compliance. The ICO tends to focus its enforcement activity on the most egregious cases of unsolicited marketing, particularly nuisance calls and spam email campaigns. But the regulations apply equally to public sector bodies and the reputational damage of getting electronic communications wrong can be significant even if a formal fine never materialises.

For public sector organisations, PECR matters because electronic communication is increasingly the most efficient way to reach the people you serve. Email newsletters about local services, text message reminders for NHS appointments, council tax payment notifications, consultations on planning applications. These are all electronic communications that fall within the scope of PECR. Understanding which of these require consent and which do not is essential for running effective communications without crossing legal lines.

It is also worth noting that PECR applies to the organisation sending the message, not the platform used. If your council sends an email through a third-party marketing platform, PECR obligations still sit with the council. The same applies to text messages sent through bulk SMS services. Outsourcing the delivery does not outsource the compliance responsibility.

Service Communications vs Direct Marketing: The Key Distinction

This is where most of the confusion sits and it is the single most important thing to understand about PECR in the public sector context. Regulation 22 of PECR restricts unsolicited electronic communications for the purposes of direct marketing. That is the trigger. If a message is not direct marketing, Regulation 22 does not apply to it.

The ICO defines direct marketing broadly. It includes any communication of advertising or marketing material directed at particular individuals. That sounds like it could catch almost anything, but the ICO has also been explicit that not every communication from an organisation to an individual counts as marketing. Service messages, transactional updates and communications that are necessary for the performance of a public task are generally not direct marketing.

Consider some practical examples. A council sending an email to notify a resident that their bin collection day has changed is a service communication. An NHS trust texting a patient to remind them about an upcoming appointment is a service communication. A housing association writing to a tenant about planned maintenance work is a service communication. None of these are promoting goods or services. They are informing people about things that directly affect them.

The ICO has made clear that most communications from public sector organisations about their services and activities are not direct marketing. Organisations that treat every email as a marketing message are being more restrictive than the law requires.

Where it becomes marketing is when you are actively promoting something. A council email encouraging residents to sign up for a new leisure centre membership scheme is marketing. An NHS trust promoting a private patient service is marketing. A housing association advertising a community event that is not directly related to the tenant’s tenancy is likely marketing. The test is whether the communication is designed to influence the recipient’s behaviour in a way that goes beyond simply informing them about services they already use or are entitled to.

The grey area often sits around consultations, surveys and community engagement. An email inviting residents to participate in a statutory planning consultation is arguably part of the council’s public duty rather than marketing. An email promoting a non-statutory wellbeing survey is closer to the marketing end of the spectrum. In these borderline cases, the safest approach is to consider the primary purpose of the message and whether it is genuinely informing people about something relevant to them or trying to generate engagement with something optional.

Consent, Soft Opt-In and Legitimate Interest Under PECR

When a communication does fall into the direct marketing category, PECR requires that you have a lawful basis for sending it. For electronic marketing messages sent to individuals, this normally means consent. PECR consent must be freely given, specific, informed and unambiguous. Pre-ticked boxes do not count. Buried clauses in terms and conditions do not count. The person must have taken a clear, affirmative action to indicate that they are happy to receive marketing communications from you.

There is an exception known as the soft opt-in, which applies when you have collected someone’s contact details in the course of a sale or negotiation of a sale. Under the soft opt-in, you can send marketing messages about similar products or services, provided you gave the person the chance to opt out when their details were collected and you include an opt-out mechanism in every subsequent message. For most public sector organisations, the soft opt-in has limited application because public services are not typically sold in the commercial sense. However, it can apply in specific circumstances, such as a council-run leisure service where a resident has purchased a membership or booked a class.

It is important not to confuse the UK GDPR concept of legitimate interest with PECR consent requirements. Legitimate interest is a lawful basis for processing personal data under the UK GDPR and public sector organisations can sometimes rely on the public task basis instead. But PECR has its own separate rules for electronic marketing and legitimate interest under the UK GDPR does not override the need for PECR consent when sending unsolicited marketing emails or texts. The two regimes operate in parallel. You need to comply with both.

For non-marketing communications, the picture is simpler. If you are sending service messages that fall outside the definition of direct marketing, PECR’s consent rules for marketing do not apply. You still need a UK GDPR lawful basis for processing the personal data involved in sending the message, but that is a separate question. Public sector organisations can often rely on the public task basis under Article 6(1)(e) of the UK GDPR for service communications, which is well established and does not require individual consent.

• Consent for PECR marketing must be specific, informed and involve a clear affirmative action from the individual
• The soft opt-in exception has limited relevance for most public sector bodies but may apply to commercial services like leisure centres
• Legitimate interest under the UK GDPR does not replace the requirement for PECR consent when sending electronic marketing
• Service communications that are not direct marketing fall outside Regulation 22 and do not need PECR marketing consent
• Every marketing message must include a clear and easy way for the recipient to opt out

Cookies and Analytics on Public Sector Websites

PECR does not only cover emails and text messages. Regulation 6 deals with the use of cookies and similar technologies on websites and this is where most public sector organisations interact with PECR on a daily basis without necessarily thinking of it that way. Every time someone visits your council website, NHS trust site or housing association portal, the cookies your site sets are governed by PECR.

The basic rule is straightforward. You must not set a cookie on a user’s device unless that user has been given clear information about the cookie and has given their consent. There are narrow exemptions for cookies that are strictly necessary for a service that the user has explicitly requested. A session cookie that keeps a user logged in while they complete a form is strictly necessary. An analytics cookie that tracks how many people visit your homepage is not.

This is where many public sector websites fall short. Running Google Analytics or a similar analytics platform without obtaining proper cookie consent is a PECR breach, regardless of how useful the data is for improving services. The ICO has been increasingly vocal about this. Their own website serves as a model for compliant cookie consent, with a clear banner that separates strictly necessary cookies from analytics and functional cookies and allows users to accept or reject each category.

Implementing proper cookie consent on a public sector website requires more than just adding a banner. The consent mechanism needs to genuinely work. Analytics cookies must not fire until the user has actively consented. Rejecting cookies must be as easy as accepting them. And the choices the user makes need to be respected, stored and applied consistently across the site. Many of the free cookie consent plugins available for content management systems do not actually prevent cookies from loading before consent is given, which defeats the entire purpose.

Server-side analytics and privacy-focused alternatives to Google Analytics are worth considering for public sector sites. Tools that process data without setting cookies or that anonymise data before it leaves the user’s browser, can provide useful insights while reducing the compliance burden. The ICO has indicated that it views organisations more favourably when they take a privacy-by-design approach to analytics rather than simply bolting on a cookie banner and hoping for the best.

The Data (Use and Access) Act: What Is Changing for PECR

PECR is not standing still. The Data (Use and Access) Act, which received Royal Assent in 2025, includes provisions that will update parts of PECR when they come into force. The changes are intended to modernise the cookie consent regime and reduce the burden on both organisations and users, while maintaining meaningful privacy protections.

One of the most significant proposed changes relates to cookies. The Act introduces a broader category of situations where cookies can be set without prior consent, including for web analytics purposes where the data is not used for profiling or shared with third parties. If implemented as drafted, this would mean that public sector organisations using privacy-focused analytics tools could collect basic usage data without a full cookie consent interaction for analytics specifically. Strictly necessary cookies would remain exempt as they are now and marketing or advertising cookies would still require consent.

The Act also signals a move toward a more outcomes-based approach to electronic communications regulation. Rather than prescribing exact mechanisms for consent, the direction of travel is toward holding organisations accountable for the outcomes their communications produce. For public sector bodies that are already communicating responsibly and transparently with their service users, this shift should be welcome rather than alarming.

It is worth being cautious about how quickly these changes will take practical effect. The Act sets out powers to make changes via secondary legislation and the detailed regulations have not all been published yet. The ICO will need to update its guidance to reflect the new framework. In the meantime, the existing PECR rules remain fully in force. The sensible approach is to stay compliant with current requirements while keeping an eye on the implementation timeline for the new provisions.

Practical Steps for PECR Compliance in the Public Sector

Getting PECR right in the public sector is not about building complex compliance frameworks. It is about understanding a few core principles and applying them consistently across your communications. The following steps cover the areas where public sector organisations most commonly go wrong.

Start by auditing your existing electronic communications. Map every email, text message and automated notification your organisation sends. Categorise each one as either a service communication or direct marketing. For the service communications, make sure you have a UK GDPR lawful basis documented. For the marketing messages, check that you are collecting proper consent and offering a clear opt-out. This audit will almost certainly reveal messages that have been treated as marketing when they are actually service communications, freeing you up to send them more confidently.

Review your website’s cookie implementation. Check which cookies are being set, when they load in relation to user consent and whether your consent mechanism genuinely prevents non-essential cookies from firing until the user agrees. If your cookie banner is decorative rather than functional, it needs replacing. The ICO provides detailed guidance on what a compliant cookie consent mechanism looks like and their own website demonstrates it in practice.

Train your communications team. PECR compliance fails most often at the point where someone decides to send a message, not at the policy level. If your comms officers, marketing managers and digital teams understand the difference between service communications and direct marketing, they will make better decisions every day. The ICO’s direct marketing guidance is written in accessible language and is a good starting resource for team training.

Document your decisions. When you categorise a communication as a service message rather than marketing, write down your reasoning. If the ICO ever queries your approach, having a clear rationale on record is far more persuasive than trying to reconstruct your thinking after the fact. This documentation does not need to be elaborate. A simple register of communication types, their purpose and their PECR classification is sufficient.

Build consent mechanisms that actually work. If you are sending marketing emails, the sign-up process must clearly explain what the person is subscribing to and how often they will hear from you. Every message must include an unsubscribe link that works immediately, not one that takes fourteen days to process or redirects to a login page. And your suppression list, the list of people who have opted out, must be checked before every send. Sending a marketing email to someone who has unsubscribed is one of the most common PECR complaints the ICO receives.