Your Marketing Emails Could Now Cost £17.5 Million — DUAA PECR Fines Are Here
In this article
- What Changed: PECR Fines Are Now GDPR-Sized
- What the ICO Has Already Fined (Since Feb 5)
- How DUAA Enforcement Works Now
- The Specific PECR Rules That Cause Fines
- The Timeline That Matters: June 19 Deadline
- Your Audit Checklist: Is Your Business At Risk?
- The Fix: Practical Steps (Do This Week)
- Why This Matters for Your Business
- What Sectors Are Most at Risk?
- Your Next Steps
Your Marketing Emails Could Now Cost £17.5 Million — DUAA PECR Fines Are Here
On February 5, 2026, the Digital Utilities and Amendment Act (DUAA) came into force.
Most UK businesses have never heard of it.
But the ICO (Information Commissioner's Office) has just gained the power to fine you up to £17.5 million or 4% of global turnover for email marketing and cookie consent violations — the same penalty level as GDPR breaches.
That's not hyperbole. That's the actual law. As of three months ago.
And almost nobody is compliant yet.
What Changed: PECR Fines Are Now GDPR-Sized
Before February 5, 2026:
- PECR (Privacy and Electronic Communications Regulations) violations cost max £5,000 fine per business
- You could send marketing emails without proper consent and pay a small fine
- Cookie compliance was treated as a minor compliance tick-box
After February 5, 2026:
- PECR violations carry £17.5 million / 4% global turnover fines (same as GDPR)
- Lack of email consent = major enforcement action (not slap on wrist)
- Non-consensual cookies = expensive liability
- ICO gained new enforcement powers (witness compulsion, technical audits)
Why this matters: businesses that treat email compliance as "nice to have" are now facing enterprise-level penalties.
What the ICO Has Already Fined (Since Feb 5)
The ICO didn't wait. It's already using its new powers:
Reddit — £66,000 (March 2026)
- Violation: Cookie consent banner did not meet PECR standards
- Problem: Users' email addresses collected without explicit consent for cookies
- Finding: "Implied consent is not sufficient under PECR"
TMAC Group — £100,000 (March 2026)
- Violation: Sent marketing emails without affirmative opt-in
- Problem: Business assumed past customers = automatic consent
- Finding: "Past purchase does not equal consent to future marketing"
Both cases involved businesses that thought they were compliant. Both paid six-figure fines in one month.
And these are small fines compared to the legal maximum. The ICO is building precedent.
How DUAA Enforcement Works Now
The ICO's new powers under DUAA:
1. Compel Witness Attendance
The ICO can now force directors, employees, and contractors to give evidence under oath about data and email practices. You can't hide behind "I don't know" anymore — someone in your business will be compelled to explain your systems.
2. Request Technical Audits
The ICO can demand access to your email marketing software, cookie tracking code, and consent mechanisms — and require you to explain what each piece does. No "sorry, we use a third-party tool" escape.
3. Issue Monetary Penalties in Real Time
Penalties are no longer negotiated over months. A single enforcement action can result in a penalty notice that stands immediately. No phase-in. No appeal period.
The Specific PECR Rules That Cause Fines
Here are the exact PECR rules that are costing businesses money right now:
Rule 1: Email Marketing Requires Affirmative Opt-In
You cannot send marketing emails to:
- Past customers (even if they bought before)
- Email addresses you harvested from websites
- People who visited your site without explicitly opting in
You can only send to people who actively ticked "yes" to "send me emails."
What gets you fined: assuming past relationship = consent.
Rule 2: Consent Must Be Separate
You cannot hide email consent in your terms & conditions or under a long privacy policy. It must be:
- A separate, obvious checkbox or button
- Clearly labeled "I want to receive marketing emails"
- Unchecked by default (not pre-ticked)
- Easy to withdraw
What gets you fined: pre-ticked email consent boxes (very common).
Rule 3: Cookies for Tracking Require Consent
Any cookie that tracks a user's behavior (analytics, retargeting pixels, heatmaps) requires prior consent before it's set.
What gets you fined:
- Google Analytics cookies without consent banner first
- Facebook/LinkedIn retargeting pixels without consent
- Hotjar/Clarity heatmaps that fire before consent
- "Cookie banner shows up when you first visit" — too late, you already set cookies
Rule 4: Cookie Banners Must Offer Real Choice
Your cookie banner cannot say "Accept to continue." It must say:
- "Accept All" button
- "Reject All" button (not "I prefer essential only")
- Both buttons equally prominent
- Settings where users can turn off non-essential cookies individually
What gets you fined: dark patterns (making "reject" harder to click than "accept").
Rule 5: Email Marketing to Business Contacts Has Different Rules
Business email addresses (info@company.com) and B2B marketing have slightly looser rules — but B2C marketing (personal emails) is stricter.
This is the exception accountants, lawyers, and B2B SaaS sometimes use. But if there's any doubt about B2C applicability, assume strict rules.
The Timeline That Matters: June 19 Deadline
DUAA created a new date: June 19, 2026 — when the ICO's formal data complaints process becomes mandatory for all data controllers.
This means:
- Anyone can submit a formal complaint to the ICO about your email or cookie practices
- The ICO must acknowledge it within 30 days
- An investigation can follow within 60 days
- A penalty notice could be issued within 120 days
That's a 6-month pathway from complaint to fine.
If your cookie banner or email consent is broken, assume someone will report you by July. Better to fix it now.
Your Audit Checklist: Is Your Business At Risk?
Go through this checklist. If you answer "no" to any question, you're at risk:
- Do you have a cookie consent banner that appears before any cookies are set?
- Does your banner offer "Reject All" as easily as "Accept All"?
- Is email marketing consent separate from your privacy policy?
- Is the email consent box unchecked by default?
- Do you only send marketing emails to people who explicitly opted in?
- Have you never sent a marketing email to a "past customer" without re-consent?
- Can users withdraw consent by clicking a link in your email?
- Do you have records of when and how each person consented?
- Have you told staff how to handle data subject access requests (within 30 days)?
If you answered "no" to more than two, you're operating in breach of DUAA/PECR.
The Fix: Practical Steps (Do This Week)
Step 1: Fix Your Cookie Banner (2 hours)
If you use a cookie management platform (Osano, OneTrust, Cookiebot), log in and check:
- Banner appears before cookies load — if not, you're setting cookies before consent
- "Reject All" button is as prominent as "Accept All"
- Non-essential cookies (analytics, ads, heatmaps) are off by default unless explicitly accepted
- Users can access "cookie settings" and disable each category independently
If you're using a basic banner or no banner: upgrade to a real consent management platform this week (cost: £10-50/month).
Step 2: Audit Your Email Consent (1 hour)
- Check your signup form: is there a separate, unchecked checkbox for marketing emails?
- Pull your email list: are there people on it who never opted in? (Immediately delete them)
- Review your emails: do they all have an "unsubscribe" link? (Required by PECR)
- Check your privacy policy: does it have a dedicated section on email marketing consent?
Step 3: Train Your Team (30 mins)
- Brief marketing/sales on: never buy email lists, never assume consent, always ask
- Brief customer service on: respond to unsubscribe requests within 30 days
- Brief technical: never set tracking cookies before consent is given
Step 4: Document Your Compliance (1 hour)
- Create a "consent records" spreadsheet: who opted in, when, how (form? email? checkbox?)
- Document your cookie consent process: what happens when someone clicks "reject"?
- Store unsubscribe requests: keep records for 2 years
- Review third-party vendors: which ones set cookies on your behalf? (e.g., Salesforce, HubSpot)
Why This Matters for Your Business
A £17.5 million fine is catastrophic for a small business. But even a £100,000 fine (like Reddit paid) can:
- Wipe out 6 months of profit
- Require redundancies
- Damage reputation
The ICO isn't being lenient anymore. It's publishing enforcement cases and naming businesses.
And here's the scary part: you can't dispute the penalty in court until you've paid it. The fine is issued, you pay, then you can appeal.
What Sectors Are Most at Risk?
- Retail/Ecommerce: heavy use of retargeting pixels, email marketing
- Professional Services: email marketing to past clients
- Hospitality: email marketing to past bookers, loyalty programs
- Healthcare: email updates to patients without consent
- SaaS/Tech: analytics and marketing automation cookies
If you send any marketing emails or use website analytics, you're at risk.
Your Next Steps
- This week: audit your cookie banner and email consent process using the checklist above
- This month: fix any gaps and document your compliance
- June 19: make sure your formal complaints process is ready (ICO requirement)
- Beyond: subscribe to ICO updates so you catch new enforcement guidance
ComplianceAlert monitors ICO enforcement actions, PECR guidance updates, and DUAA deadline changes. Get alerts before the ICO starts investigating your sector.
Stay ahead of UK regulations
ComplianceAlert monitors HSE, HMRC, ICO, CQC and more — and alerts you in plain English before changes cost you.
Try ComplianceAlert free for 7 days →7-day free trial · No card needed · Free for 7 days · Cancel anytime
Have a question?
Talk to us about how ComplianceAlert can help your business. We reply within one business day.
Or call Alice free: 📞 Free call — +44 23 9433 0468 · hello@compliancealert.co.uk
