Advertorial
PHARMACIES FACE HIGHER REGULATORY RISK AS PECR FINES RISE
T
he Data Use and Access Act 2025 (DUAA) brought about one of the most significant recent changes to the UK’s regulatory
framework for marketing, by increasing the maximum penalties under the Privacy and Electronic Communications Regulations (PECR) to GDPR equivalent levels. The PECR regulates the way businesses send electronic marketing materials to individuals and sets out requirements relating to opt-in consent.
Before 5th February 2026, the maximum a business could be fined for PECR breaches (e.g., unlawful direct marketing, failure to obtain consent, nuisance texts and cookie consent violations) was capped at £500,000. As part of the phased implementation of DUAA, the ICO, which previously had limited deterrent power, now has enhanced enforcement powers to issue fines of up to £17.5 million or 4% of global turnover under PECR.
Pharmacies continue to operate under strict obligations relating to patient confidentiality, privacy and data protection and the expanded PECR enforcement powers and associated financial consequences introduce an additional layer of risk. Community and online pharmacies that rely on SMS reminders, email outreach and other methods of digital marketing now face the possibility of far more severe financial consequences for non-compliance.
PECR Risk for Pharmacies PECR governs electronic marketing and the use of calling/texting practices, instant messaging, in- app notifications and website cookies and tracking technologies. Over the years pharmacies have modernised and streamlined their methods for communication with customers often relying upon electronic communication methods for:
• Flu vaccination reminders • Private/optional services marketing (e.g., travel clinics, menopause services)
• Customer newsletters or health campaigns • Patient engagement via SMS or email
The PECR draws a distinction between service communications and marketing communications.
Service communications must be factual and provide customers with information that they need to know, necessary for the provision of service. Service communications must not contain promotional material.
While pharmacies may communicate with customers purely for service-related matters, it is necessary to obtain consent before sending electronic marketing communications. It is easy for pharmacies to unintentionally blur the line between service messages and marketing, which can result in a business being vulnerable to regulatory scrutiny.
The ICO is explicit on the point that public health value does not exempt organisations from PECR, a point reinforced by its ICO enforcement activities in the pharmaceutical and health and wellbeing space.
Reducing the risk Pharmacies face several common risk areas of PECR compliance, particularly around digital marketing communications. All too frequently, issues arise when SMS or email campaigns presented as “service reminders” instead promote paid services, such as optional clinics or promotion of electronic prescription services, which constitute marketing and require consent.
Pharmacy websites may deploy tracking technologies and advertising pixels which require clear, affirmative consent via a cookie banner. Risks can also present when pharmacies participate in centrally managed marketing campaigns with other parties. PECR places liability on the sender, meaning valid, documented customer consent must be in place.
Lastly, third-party platforms, such as online clinic booking systems and patient messaging tools can introduce hidden tracking or data-sharing mechanisms which pharmacies remain fully responsible for under PECR. Tips to mitigate these risks are provided below:
• Managing consent Build consent into your customer journey. Consent must be obtained via a positive action i.e.
a tick box. Individuals must be given the option to unsubscribe at any time.
• Service v Marketing The most frequent area of non-compliance arises from SMS campaigns framed as “service reminders” but which in fact promote paid services (e.g., travel vaccines or private clinics). Service messages should contain information strictly relevant and necessary for the service. Ensure that service messages do not contain marketing messaging.
• Website Cookies Review your cookie policy and cookie banner. Obtain consent for non-essential website cookies including tracking and advertising cookies. Enable website visitors to amend their cookie setting and accept of reject all.
• Joint Marketing Activities If participating in partnership which involve joint marketing initiatives, liability will sit with the sender of the communications under PECR. Ensure consents are in place and if acting on consent obtained by another party review this to ensure it is complaint.
• Third-Party Platforms and Software Pharmacies remain responsible for the processing carried out by third party platforms. Always check that customer data is being processed in accordance with your instruction and that no “hidden” processing is being carried out behind the scenes for which you would be responsible.
Thorntons Pharmacy team are specialists in the sector and we would be happy to support you in navigating the challenges brought about by the changing data protection landscape.
Get in touch with one of the team today on 03330 430350 or visit our website at
www.thorntons-law.co.uk
scotpharm.com 37
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48
