--- title: "UK GDPR and PECR — what changes after the channel" url: "https://consenttheater.org/law/uk-gdpr-and-pecr" description: "How the UK GDPR and PECR map onto the EU GDPR and ePrivacy Directive articles ConsentTheater cites. Substantively identical, regulated by the ICO, with stable links to the canonical UK legislation." --- 1. [Law references](/law/) 2. / 3. UK GDPR & PECR Law references · United Kingdom # UK GDPR and PECR — what changes after the channel Last updated 2026-04-25 ## In one paragraph When the United Kingdom left the European Union it took the GDPR with it. The European text was retained in UK domestic law via the [Data Protection Act 2018](https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted), forming what is now called the **UK GDPR**. The articles ConsentTheater cites — Art. 5, 6, 7, 17, 89 — exist in the UK GDPR with the same numbers and substantively the same text. The cookie rule is in [PECR (SI 2003/2426)](https://www.legislation.gov.uk/uksi/2003/2426/contents/made), Regulation 6, which transposed the ePrivacy Directive into UK law and continues to apply. The regulator is the [Information Commissioner's Office (ICO)](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/). For the kind of observations ConsentTheater publishes — pre-consent tracker requests, missing reject buttons, dark-pattern consent banners — the analysis is the same on either side of the channel. We therefore reference the EU versions on this site and treat the UK as covered by the same reasoning, with ICO guidance as the authoritative national-level source. ## Article mapping Each EU article we host on this site has a UK counterpart with effectively identical text. The note column flags any practical divergence in enforcement style. EU [GDPR Art. 5](/law/gdpr/art-5/) Principles relating to processing of personal data UK UK GDPR Art. 5 Same six principles plus accountability. Identical text. EU [GDPR Art. 6](/law/gdpr/art-6/) Lawfulness of processing UK UK GDPR Art. 6 Same six lawful bases. The ICO interprets legitimate interests under 6(1)(f) similarly to most EU authorities — narrow for ad-tech, generous for genuine functional needs. EU [GDPR Art. 7](/law/gdpr/art-7/) Conditions for consent UK UK GDPR Art. 7 Identical conditions. The ICO has been particularly active on dark-pattern banners — its 2023–2024 statements explicitly target sites where Reject is harder than Accept. EU [GDPR Art. 17](/law/gdpr/art-17/) Right to erasure UK UK GDPR Art. 17 Same grounds, same exceptions, including Art. 17(3)(d) for archiving / research processing. EU [GDPR Art. 89](/law/gdpr/art-89/) Safeguards for archiving / research / statistics UK UK GDPR Art. 89 Identical safeguards regime. Schedule 2 of the DPA 2018 makes corresponding domestic-law derogations. EU [ePrivacy Directive Art. 5(3)](/law/eprivacy/art-5/) Confidentiality of the communications UK PECR Reg. 6 The UK transposed ePrivacy via PECR (SI 2003/2426). Regulation 6 carries the same prior-consent requirement and the same "strictly necessary" exemption. ## ICO guidance The ICO publishes plain-language guidance on the points that matter for our observations. The links below are stable enough to cite and are the ones we consult while maintaining the catalogue. * [UK GDPR guidance and resources](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/) — top-level hub * [Lawful basis for processing](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/) — the UK reading of Article 6 * [Consent](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/consent/) — the UK reading of Article 7, including the practical conditions for "freely given" * [Right to erasure](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/) — the UK reading of Article 17 and its exceptions * [Online tracking](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/online-tracking/) — the ICO's framework for trackers, fingerprinting and similar techniques * [PECR — cookies and similar technologies](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/) — the ICO's interpretation of Regulation 6 ## Where the UK and EU diverge in practice The legislative text is essentially the same; enforcement style differs in a few places worth noting: * **The ICO has been more vocal on dark-pattern cookie banners** than most EU authorities, publishing direct call-outs and threatening enforcement against sites where Reject takes more clicks than Accept. * **UK adequacy with the EU is conditional**. The European Commission's adequacy decision for the UK is reviewed periodically; if it lapsed, EU-to-UK personal-data transfers would need additional safeguards. For our static-research data this is not a concern, but it shapes how UK controllers approach EU-resident data subjects. * **PECR predates UK GDPR.** Regulation 6 has not been replaced by a UK ePrivacy Regulation; the legacy directive transposition still governs cookies on UK websites. ## Canonical UK legislation * [Data Protection Act 2018 (c. 12)](https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted) — the statute that retains the GDPR in UK law and adds national derogations * [Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)](https://www.legislation.gov.uk/uksi/2003/2426/contents/made) — the cookie / electronic-communications statute