The regulation most likely to catch your marketing team is not the one they think it is.
Since 2019, the Information Commissioner's Office has issued 119 monetary penalty notices for marketing-related violations. Over 90% of those were brought under the Privacy and Electronic Communications Regulations 2003 – PECR – not the UK GDPR. The total: approximately £10.5 million across cases ranging from £18,000 to £300,000.
Most compliance teams have spent the past eight years focused on GDPR. Most marketing teams have heard of GDPR, at least. Yet the regulation that actually governs how you send a marketing email, make a sales call, or deploy a tracking cookie is one that many firms have never read. PECR is the ICO's primary enforcement tool for marketing, and the enforcement data from 2022 to 2026 reveals clear patterns that any firm running marketing campaigns should understand.
The regulation your marketing team hasn't read
PECR and UK GDPR work in parallel but serve different functions. UK GDPR governs the processing of personal data – lawful basis, transparency, data subject rights. PECR governs the act of sending marketing communications through specific channels: email, SMS, phone calls, and cookies. Both apply simultaneously. But when the ICO investigates a marketing campaign, it almost always reaches for PECR first.
The reason is practical. PECR violations leave a clear evidentiary trail: an email was sent without consent, a call was made to a TPS-registered number, a cookie was deployed before the user gave permission. The ICO does not need to establish complex arguments about data processing principles. The evidence is binary – the message was either lawful or it was not.
The numbers make this dominance stark. Between 2019 and September 2025, the ICO issued 119 fines under PECR totalling approximately £10.5 million. In the same period, just 16 fines were issued under UK GDPR – though those totalled roughly £65 million, reflecting the higher individual fine values in data breach cases. For marketing, PECR is where the enforcement happens.
The specific rules are not complicated, but they are precise. Regulation 22 requires consent before sending marketing emails or texts to individual subscribers – sole traders, partnerships, and private individuals. The soft opt-in exemption (Regulation 22(3)) exists, but only if you obtained the contact details during a sale or genuine negotiation, the marketing relates to your own similar products, and you offered a clear opt-out at the time of collection and in every subsequent message. All three conditions must be met. Regulation 21 prohibits marketing calls to anyone registered with the Telephone Preference Service unless they have specifically consented. Regulation 19 requires prior consent for automated calls in all cases, with no exceptions.
These are not obscure technicalities. They are the rules that determine whether your next email campaign is lawful.
What the enforcement data reveals
Reviewing the ICO's enforcement actions from 2022 to early 2026 reveals distinct patterns in what triggers investigation, which sectors are targeted, and what drives higher penalties.
Complaints drive everything
The ICO's enforcement model is overwhelmingly reactive. As Louise Brooks, an ICO adviser, has noted, the ICO does not proactively investigate PECR infringements but relies on being notified through complaints. The channels that feed the ICO's intelligence are the 7726 SMS spam reporting service, TPS complaint referrals, the ICO's online reporting tool, and direct complaints from individuals.
The complaint volumes that triggered individual investigations ranged from as few as 31 (Skean Homes Ltd, fined £100,000 in January 2024) to over 46,000 (Allay Claims Ltd, fined £120,000 in January 2026). But the ICO has been clear that scale alone is not the threshold. One enforcement action began, in their words, with a single complaint from a consumer, which then led to an investigation uncovering nearly 48,000 unlawful calls.
This matters practically. A firm sending marketing in genuine compliance has little to fear from this model. But a firm relying on the assumption that low complaint volumes mean no scrutiny is making a bet, not a compliance decision.
Sector patterns
Energy and home improvements has drawn the most enforcement attention, with the ICO running a dedicated operation – Operation Tinago – targeting predatory marketing linked to government energy efficiency schemes. Fined companies include Poxell Ltd (£150,000), Skean Homes Ltd (£100,000), Home Improvement Marketing Ltd (£300,000), Green Spark Energy Ltd (£250,000), and Crown Glazing Ltd (£130,000), among others.
Financial services, insurance, and debt management form the second-largest cluster. Money Bubble Ltd (£120,000 for targeting vulnerable people with debt and insurance calls), Pinnacle Life Limited (£80,000 for life insurance calls to TPS subscribers), and several debt management companies were caught in an ICO operation targeting unsolicited messages promoting debt advice.
Retail and recruitment produced notable cases too. HelloFresh was fined £140,000 in January 2024 for 80 million spam emails and one million texts. Join the Triboo Limited was fined £130,000 for 107 million spam emails sent to recruitment site registrants – the tribunal dismissed their appeal, ruling that registration on a recruitment website could not constitute consent to marketing.
What makes fines higher
The highest penalties share recognisable features. Targeting vulnerable people – the elderly, those with serious illness, people in financial distress – is the single most powerful aggravating factor. The ICO's September 2025 cases against Home Improvement Marketing Ltd and Green Spark Energy Ltd (£550,000 combined) involved avatar-based robo-call software used to simulate human agents, with scripts designed to frighten elderly homeowners about supposed health hazards from loft insulation.
Other aggravating factors: high volumes of contacts (millions rather than thousands); deliberate evasion tactics such as using multiple phone lines, changing company names, or deploying technology specifically designed to avoid detection; failure to cooperate with the ICO investigation; and links to directors of previously fined companies. Non-engagement with the ICO is explicitly punished – firms that refused to respond to the investigation consistently received higher fines than those that cooperated.
The consent failures at the centre
Strip away the sector details and the technology variations, and virtually every marketing enforcement case comes back to the same root cause: consent was absent, inadequate, or obtained through a mechanism that did not meet the legal requirements.
Third-party consent is no defence
Multiple cases confirm that relying on third-party claims of consent provides no protection. The ICO stated in the LADH Limited enforcement that relying on third-party claims of consent, without undertaking checks, leaves organisations open to enforcement action. Skean Homes Ltd blamed its lead generator for the data quality and was still fined £100,000. ZMLUK Limited was fined £105,000 for 67.7 million marketing emails sent using data from a third-party website where individuals were presented with a list of 361 "partner" companies and no mechanism to choose between them – the ICO found the consent mechanism invalid.
For any firm that buys marketing data from a third party, the message is unambiguous: the consent must be specific, informed, and verifiable. If you cannot demonstrate that each individual on your list gave valid consent to receive marketing from your organisation specifically, the data is a liability, not an asset.
Bundled consent is invalid
The HelloFresh case is the clearest illustration. The company's consent statement bundled marketing consent with age confirmation – a single mechanism that served two unrelated purposes. The consent text also failed to mention SMS as a channel, meaning the soft opt-in could not apply to the one million texts sent. The ICO classified this as negligent rather than deliberate, and HelloFresh cooperated with the investigation, but the fine was still £140,000.
The principle is straightforward: marketing consent must be a standalone choice. It cannot be wrapped into terms and conditions, account registration, or age verification. Each channel you intend to use must be explicitly identified in the consent statement.
Legitimate interest does not override PECR
Argentum Data Solutions Ltd was fined £65,000 in October 2023 for sending 2.3 million unsolicited SMS messages. The company argued it was relying on legitimate interest as a legal basis. The ICO rejected this outright. Where PECR requires consent for electronic marketing – which it does for emails and texts to individual subscribers – legitimate interest under UK GDPR cannot override that requirement. This is not a grey area. UK GDPR Recital 47 acknowledges that direct marketing may constitute a legitimate interest, but that general statement does not disapply the specific consent requirements in PECR.
The penalty landscape just changed
On 5 February 2026, the Data (Use and Access) Act 2025 raised the maximum PECR penalty from £500,000 to £17.5 million or 4% of global annual turnover – whichever is higher. This aligns PECR fines with UK GDPR's higher tier for the first time.
The practical significance is considerable. Under the old cap, even the most aggressive PECR enforcement produced fines that large companies could absorb as an operational cost. The average PECR marketing fine from March 2022 onward was £94,490 – unpleasant, but not existential. The new cap changes the calculus entirely.
As the Data Privacy Advisory Service noted in its 2025 enforcement analysis, PECR breaches involve direct marketing with clear evidentiary trails and fewer defences than UK GDPR cases. Removing the £500,000 cap exposes organisations to GDPR-level fines for what are often straightforward infringements. The evidence is typically a database of messages sent, a list of recipients, and the presence or absence of valid consent records. There are few places to hide.
The DUAA also removed the "substantial damage or distress" threshold that previously made monetary penalties for cookie violations almost impossible to impose. Cookie enforcement has so far been engagement-led – the ICO reviewed the UK's top 1,000 websites in 2025, achieved 95% compliance through warnings and preliminary enforcement notices, and has not yet issued a fine solely for cookie non-compliance. But the legal barrier to doing so has now been removed. Marketing teams deploying analytics or advertising cookies without valid consent are operating on borrowed time.
Practical takeaways
The enforcement data points toward specific actions that marketing teams and compliance officers should prioritise.
Audit your consent mechanisms. Review every point at which your organisation collects marketing consent. Is consent genuinely separate from other permissions? Does the consent statement specify which channels you intend to use – email, SMS, phone? Is there a clear, simple opt-out at the point of collection and in every subsequent communication? If any of these are missing, your soft opt-in reliance and your direct consent are both potentially invalid.
Verify any third-party data. If you use purchased or shared marketing lists, can you produce evidence that each individual on the list gave specific, informed consent to receive marketing from your organisation? If the answer is no, or if the consent was obtained through a mechanism involving hundreds of unnamed "partners," stop using the data. The ICO's position is unambiguous, and the cases demonstrate that blaming the data supplier is not a defence.
Check your TPS screening. If your marketing involves telephone calls, are you screening against the TPS register before every campaign? The 28-day grace period for newly registered numbers is not a loophole – it is a transition period. And if you are making automated calls, prior consent is required regardless of TPS status.
Know which regulation governs your activity. GDPR is the general framework. PECR is the channel-specific rulebook for marketing communications. If your compliance function focuses exclusively on GDPR, you are looking at the wrong regulation for marketing enforcement. Review the ICO's Guide to PECR – it exists, it is free, and it answers most of the questions that lead to enforcement.
Own the compliance intersection. The enforcement patterns reveal something about how marketing compliance fails in practice. It rarely fails because someone deliberately breaks the rules. It fails because nobody in the organisation fully owns the problem. The marketing team does not understand the regulatory requirements. The compliance team does not understand the marketing technology stack. The gap between them is where the ICO's enforcement actions live.
This is not a criticism of either function. It is a structural observation confirmed by the enforcement data. Most of the fined organisations were not deliberately non-compliant – they were negligent, uninformed, or operating under incorrect assumptions about what the law required. The solution is not more training for the marketing team or more oversight from the compliance team. It is someone who understands both disciplines, working at the intersection where the failures occur.
The ICO's enforcement data tells a consistent story. The regulation most firms overlook is the one most likely to produce a fine. The consent mechanisms most firms rely on are the ones the ICO keeps finding inadequate. And the penalty cap that made PECR fines a manageable cost just increased thirty-five-fold. The cases are publicly available. The patterns are clear. The question is whether your marketing team has read them.