Data (Use and Access) Act 2025 – Privacy and Electronic Communications Regulations

23rd September 2025

The next instalment in our series on the Data (Use and Access) Act 2025 (“DUAA”) expands on our previous blog (which can be found here), regarding how Chapter 2, Part 5 of DUAA amends the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“PECR”). This blog captures the remaining changes that DUAA introduces to PECR.

A) Definitions

Section 110 of DUAA amends some of the definitions contained in PECR. Clarification has been provided on the meaning of “call” and “communication”, covering all such attempts to establish a connection, and any communication that is “transmitted”, respectively. PECR now applies irrespective of whether a caller is connected to a recipient, or whether communications (such as texts and emails) are exchanged. As such, a recipient includes “the intended recipient” of the call or communication.

DUAA also incorporates into PECR the definition of “direct marketing” that features in section 122(5) of the Data Protection Act 2018 (“DPA”), specifically “The communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. Marketers should be aware of the updated (and some, now broader) definitions and how these could bring their campaigns within the scope of PECR.

B) Soft opt-in rule

Section 114 of DUAA proposes to amend PECR to extend the application of the soft-opt in rule, previously reserved for commercial organisations, to charities. Charities “may send or instigate the sending of electronic mail for the purposes of direct marketing”, provided the following conditions are satisfied:

  • The “sole purpose” of the direct marketing must be to further the charity’s charitable purpose(s). Communications about fundraising initiatives may assist with demonstrating such “purpose”.
  • The charity must have acquired the recipient’s contact details “in the course of” them either “expressing an interest in” the charity’s charitable purpose(s) or “offering or providing support to further” the charitable purpose(s), for instance, by making a donation or volunteering at a charity event.
  • Finally, the recipient must be given a simple, cost-free means of opting out of their details being used for direct marketing. This option must be provided at the time the recipient’s details are collected by the charity and, if not refused initially, with each subsequent communication.

Whilst this is anticipated to be a welcome change for charities, the practical impact remains to be seen, given the ongoing requirement to offer a method of opting out and the prospective nature of this section.

C) Compliance and enforcement

Organisations should be aware of the updated compliance and enforcement requirements, which further align PECR with the UK General Data Protection Regulation (“UK GDPR”). Pursuant to Section 111 of DUAA, service providers’ existing obligation to notify the Information Commissioner’s Office (“ICO”) of personal data breaches has been aligned with the UK GDPR obligations regarding the same. Therefore, service providers must notify the ICO of such breaches “without undue delay and where feasible, not later than 72 hours after having become aware of it. If a provider experiences a delay in providing information to the ICO, the information can be offered in phases if accompanied by reasons for the delay.

Schedule 13, Paragraph 1 of DUAA contains provisions from the DPA for enforcement purposes (including Section 155 on penalty notices and Section 157 on the maximum amount of penalty, with the precise amendments explained in Paragraphs 15 and 18 of Schedule 13). As a result of DUAA adopting Section 157 of the DPA, the ICO may issue fines for PECR breaches up to £17.5 million (or 4% of the organisation’s global annual turnover, whichever is greater). This is a significant increase from the previous £500,000 limit, which should offer greater deterrence against PECR breaches.

It is important to note that Schedule 13 of DUAA is currently prospective; it is partially in force, to the extent that it confers power to make regulations (or is otherwise necessary) for the exercise of such power. Time will tell whether further regulations will be introduced to commence the ICO’s increased fining powers under DUAA. Regardless, organisations should reassess their stance on PECR, ensuring appropriate attention is paid to the requirements (particularly in respect of digital marketing campaigns). Failure to observe the requirements of PECR could prove to be costly!

Data protection training

Book a place on our BCS accredited training course

Sign up here

Enjoy That? You Might Like These:

events

Counsel+ webinar: Protecting your business against the new failure to prevent fraud corporate offence – risks and compliance - Webinar, Thursday 6 November 2025
13 October
The new UK failure to prevent fraud corporate offence came into force on 1 September 2025. The new offence has created significant new compliance obligations and legal risks for organisations,... Read More

newsletters

Corporate Commentary – October 2025
6 October
Welcome to Blake Morgan's Corporate Commentary, which brings together a selection of our most popular insights on current business issues. This month we have also included a roundup of our... Read More

articles

Introduction to the new verification rules – if you are a director/PSC/LLP member, this will affect you
5 September
The Economic Crime and Corporate Transparency Act 2023 (ECCTA) is now being brought into force and is something that is going to impact every company and LLP registered in the... Read More
Click here for more Insights