On 19 June 2025, the Data (Use and Access) Act (DUA Act) officially received Royal Assent, marking a significant milestone in the UK's data governance landscape. This new legislation will introduce various changes to UK data protection laws.
One of the most notable changes brought about by the DUA Act is the substantial increase in maximum fines for breaches of the Privacy and Electronic Communications Regulations (PECR).
What is PECR?
PECR governs the use of electronic communications and cookies. It sits alongside the Data Protection Act and the UK General Data Protection Regulation (UK GDPR).
The Information Commissioner's Office (ICO) regularly issues fines for failures to comply with PECR and, in particular, for breaches relating to marketing activities – such as sending marketing emails without consent (where consent is required). Failures to comply with PECR in relation to the placement of cookies is also an area that the ICO has been paying attention to recently.
New Penalty under the DUA Act
Previously, the maximum penalty for failures to comply with PECR was capped at £500,000. However, under the DUA Act, this cap will be drastically raised to align with the penalties under the UK GDPR. Businesses can now face fines of up to £17.5 million or 4% of their global annual turnover, whichever is higher.
Looking Ahead
The change to fines under PECR is dependent on the introduction of secondary legislation and so will not come into effect immediately. The date of such secondary legislation is currently unknown, but it is expected relatively soon.
Given the increase in potential fines, businesses should consider taking steps now to identify and address areas which could result in fines. These include the following steps:
- Review direct marketing practices: A review of marketing practices will help to identify whether there are any areas of risk or failures to comply with PECR, such as failures to assess when consent is needed or to obtain adequate consent for marketing activities.
- Review the placement of cookies: The placement of cookies should be reviewed to ensure that they are categorised correctly and used in accordance with PECR (including to identify where changes can be made as a result of changes made by the DUA Act to consent requirements for the use of cookies placed for specified purposes). Cookie notices and banners should also be reviewed and updated where needed.
- Carry out employee training: Training to make employees aware of the upcoming changes to fines (as well as other changes under the DUA Act generally) should be carried out. This may be particularly helpful for employees who are involved in carrying out marketing activities and the placement of cookies.
Want to hear more from us? 
