PECR, cookies and marketing consent explained
Most people have clicked a cookie banner without quite knowing what sits behind it, or wondered why a marketing opt-in box is sometimes empty and sometimes pre-ticked. The rules that govern these everyday moments come mainly from one set of regulations, and they are more straightforward than the banners often make them look. This article explains, in plain English, what those rules are, how cookie consent is meant to work, and what a lawful marketing opt-in looks like. It is general commentary on the rules, written so you can recognise good practice when you see it.
What PECR is
The rules are the Privacy and Electronic Communications Regulations, almost always shortened to PECR. They sit alongside the UK General Data Protection Regulation (UK GDPR) and cover specific things: marketing by phone, email and text, the use of cookies and similar technologies, and the security of electronic communications. Where UK GDPR is the broad framework for personal data, PECR adds focused rules for electronic marketing and tracking. The same regulator, the Information Commissioner’s Office, oversees both, and publishes guidance at gov.uk.
One useful point of clarity: PECR applies to electronic marketing and cookies in their own right, separately from whether a loan is regulated by the Financial Conduct Authority. The two are unconnected. PECR governs how we may contact you and what we may store on your device; it has nothing to do with the regulatory status of our lending.
How cookie consent works
A cookie is a small file a website stores on your device, often to remember a setting or to measure how the site is used. PECR says that, with a narrow exception, an organisation must tell you about the cookies it uses and get your consent before setting them.
The exception is for cookies that are strictly necessary to provide a service you have asked for — for example, remembering the items in a basket or keeping you logged in. Those do not need consent. Almost everything else, including analytics and advertising cookies, does. Consent here means a real choice: you should be able to accept or reject non-essential cookies, and rejecting them should be as easy as accepting them. A banner that only offers “Accept” is not giving you a genuine choice.
What a lawful marketing opt-in looks like
For marketing by electronic means, PECR generally requires consent, and the standard of consent is borrowed from UK GDPR: it must be freely given, specific, informed and unambiguous, shown by a clear affirmative action. In practical terms, that has a few consequences.
- The box must be unticked. A pre-ticked marketing box is not valid consent, because doing nothing is not a clear, affirmative choice. You have to tick it yourself.
- It must be specific. Consent should make clear what you are agreeing to and from whom — you cannot be bundled into unrelated marketing as a condition of getting a service.
- It must be easy to withdraw. Every marketing message should offer a simple way to opt out, and withdrawing consent should be as easy as giving it.
There is a limited business-to-business nuance: rules differ slightly for marketing to corporate subscribers compared with individuals, and there is a narrow “soft opt-in” for existing customers in some circumstances. But the safe and respectful default — and the one we prefer — is a clear, unticked opt-in and an easy way out.
How we apply this
We aim to keep our own cookie and marketing practices on the right side of these rules, and to make them readable rather than baffling. You can see how we use cookies and handle personal data, and how to control marketing preferences, in our privacy notice. If you ever receive a message you did not expect, or one you cannot easily opt out of, that is a red flag worth questioning — and if it claims to be from us but seems off, treat it with caution and check directly through our contact page.
PECR is not red tape for its own sake. It exists so that you decide who contacts you and what gets stored on your device. Recognising a proper consent request — an unticked box, a real reject option, an easy unsubscribe — is a small but genuine form of control.
