What happens if we don’t comply?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
Due to the Data (Use and Access) Act coming into law on 19 June 2025, the PECR enforcement regime is changing. We will update this section once the new regime is in force.
Our aim is to ensure organisations comply with the law. In cases where organisations refuse or fail to comply voluntarily, we have a range of options available for taking formal action where this is necessary.
The enforcement regime for PECR is changing to align with the regime for the UK GDPR as laid out in the DPA 2018.
Once these changes are in force, we will produce new guidance on the approach to PECR enforcement. This will replace the Regulatory action policy which currently applies to PECR.
In the meantime, the published Regulatory action policy still applies to PECR. It makes clear that any formal action we take must be a proportionate response to the issue it seeks to address and that we will reserve monetary penalties for the most serious infringements of PECR.
Further reading — ICO guidance