PECR Cold Calling Rules: What Sales Teams Must Know in 2026

PECR cold calling rules explained for 2026. New £17.5M fines, TPS screening, automated call consent, and the compliance workflow your team needs.

8 min readProspeo Team

PECR Cold Calling Rules: What Sales Teams Must Know in 2026

Stop asking whether cold calling is legal. The PECR cold calling rules are clear - the real question is whether you can evidence compliance for every number you dial. Since March 2022, the ICO has issued 49 PECR monetary penalty notices totaling £4.63M. Those fines aren't hitting companies that didn't know the rules. They're hitting companies that couldn't prove what they did.

We've watched this pattern repeat for years. Teams don't fail PECR because they're ignorant. They fail because nobody logged the TPS screening date, nobody documented the consent trail for automated calls, and nobody can reconstruct what happened when the ICO comes asking.

The Rules in 60 Seconds

  • Live marketing calls: Screen against TPS and CTPS. Maintain an internal suppression list. Identify your organisation and display a callback number. No consent required if you screen properly and respect objections.
  • Automated/recorded calls: Prior specific consent is mandatory. General marketing opt-in doesn't count. Live-call consent doesn't count. The consent must explicitly cover automated calls.
  • New fine cap (effective 5 Feb 2026): £17.5M or 4% of total worldwide turnover - whichever is higher. That's at least a 35x increase from the old £500K ceiling.
  • "Call" redefined: Attempting to establish a connection now counts as a "call" - even if nobody picks up. Your dialer logs matter for every number you punch.
PECR cold calling rules summary with fine caps
PECR cold calling rules summary with fine caps

If you remember nothing else: live calls need screening, automated calls need consent, and the penalties just got serious.

TPS Screening and Live Call Requirements

Regulations 21, 21A, and 21B cover live marketing calls. Here's what you must do - and what'll get you fined.

Do:

  • Screen every number against TPS and CTPS before dialing
  • Maintain and sync an internal do-not-call list for anyone who's objected
  • Identify your organisation at the start of the call
  • Display a real callback number (or provide a Freephone number if asked)

Don't:

  • Call TPS/CTPS-registered numbers without specific consent - even existing customers
  • Call anyone who's previously told you to stop
  • Market claims management services without specific consent
  • Market pension schemes unless you meet strict FCA-authorised criteria and consent/relationship requirements

The identification piece trips up more teams than you'd expect. If your dialer masks the outbound number or your reps don't name the company within the first few seconds, you're already non-compliant. Beyond ICO fines, telecom carriers can flag your number as spam risk - and once that happens, answer rates plummet and fixing it requires switching carriers, warming new numbers, and rebuilding sender reputation from scratch (see How to Improve Sender Reputation in 2026). It's a practical death sentence for any outbound operation.

One legal nuance worth knowing: the Court of Appeal's Leave.EU/Eldon Insurance Services decision established that the entity "instigating" direct marketing bears PECR liability, not just the one facilitating or transmitting it. If you hire a third-party dialer, you're still on the hook.

Automated and Recorded Calls

Reg 19 is where the ICO has zero patience. Automated marketing calls - including those using AI "avatar" software - require prior consent that's freely given, specific, and informed. General marketing consent isn't enough. Consent for live calls isn't enough. The person must have explicitly agreed to receive automated or recorded calls.

The tech got smarter, but the compliance bar didn't get lower.

In September 2025, the ICO fined two energy-related companies a combined £550,000 for automated marketing calls using avatar software that made recipients think they were speaking to real UK people. Green Spark Energy made 9.5 million automated calls. Home Improvement Marketing made 2.4 million. Neither could evidence consent. The ICO served enforcement notices on both, shutting down the operations entirely.

Here's the thing: if you're considering AI voice agents for outbound because the unit economics look attractive, that enforcement case is your required reading. Your consent language needs to be explicit - something like: "We may contact you using pre-recorded or automated voice messages about [topic]." A vague "we may call you with offers" won't survive scrutiny.

Prospeo

PECR fines just jumped to £17.5M - and every unanswered dial now counts as a call. Dirty data isn't just an efficiency problem; it's a compliance liability. Prospeo's 125M+ verified mobile numbers are refreshed every 7 days, so your team dials real, active numbers instead of dead lines that bloat your dialer logs with risky attempts.

Stop dialing ghosts. Start every call with data you can defend.

B2B vs B2C: Who Gets Protection?

PECR doesn't care whether you call it "B2B." It cares whether the subscriber is corporate or individual.

PECR rules comparison for corporate vs individual subscribers
PECR rules comparison for corporate vs individual subscribers
Rule Corporate Subscribers Individual Subscribers
TPS/CTPS screening Screen CTPS (and TPS as a cross-check) Screen TPS
Consent for live calls Not required (screen + respect objections) Not required (screen + respect objections)
Consent for automated calls Required Required
Email marketing rules PECR electronic mail rules don't apply (but UK GDPR still does for personal data) PECR electronic mail rules apply

The catch: sole traders and certain partnerships are treated as individual subscribers, not corporate ones. That freelance consultant you're cold calling? They get the same protections as a consumer. For B2B calls, you need to screen against both CTPS and TPS - some businesses register with TPS (especially sole traders), others with CTPS.

This confusion shows up constantly in UK marketing forums and across threads on r/sales and r/UKbusiness - practitioners assume "B2B" means fewer restrictions, when the subscriber type is what actually matters. The government considered extending full PECR email rules to B2B marketing under the Data (Use and Access) Act, but ultimately dropped that proposal. B2B email remains less restricted than B2B calling - for now.

What Changed in 2026

The Data (Use and Access) Act received Royal Assent on 19 June 2025, and key provisions [took effect on 5 February 2026](https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2026/02/key-aspects-of-the-data - use-and-access - act-take-effect.html). The headline change: PECR's fine cap jumped from £500K to £17.5M or 4% of total worldwide turnover, aligning PECR penalties with UK GDPR levels. The ICO now has real teeth for telephone marketing violations.

Timeline of PECR enforcement changes leading to 2026
Timeline of PECR enforcement changes leading to 2026

Equally significant - and arguably more operationally disruptive - is the redefinition of "call." A call now includes attempting to establish a connection. The connection doesn't need to be established. Dialing a number and hanging up before it connects still counts. Your dialer logs now matter even for calls that never connected, and every abandoned attempt is a potential data point in an ICO investigation.

The Act also adopted the DPA 2018 definition of direct marketing: "communication of advertising or marketing material directed to particular individuals." Updated ICO guidance reflecting these provisions is expected later in 2026 - watch for it.

Building a PECR Compliance Workflow

Most compliance guides stop at "follow the rules." Let's get into the operational workflow that actually keeps you safe.

Six-step PECR compliance workflow for sales teams
Six-step PECR compliance workflow for sales teams

1. Verify Lead Source and Lawful Basis

Document where every number came from. If you're relying on legitimate interests, complete the ICO's LIA template before your first campaign - not after the ICO asks for it.

If you're building lists from multiple sources, it helps to standardise your enrichment fields and provenance notes (see 10 Best Data Enrichment Services in 2026).

2. Screen TPS/CTPS Every 28 Days

Log the screening date for each campaign. Budget roughly £200-£2,000/year for TPS/CTPS screening subscriptions depending on volume. TPS violations remain the single most common reason for ICO enforcement action against outbound teams, so this step is non-negotiable.

3. Sync Your Suppression List

Anyone who's objected gets suppressed permanently. In our experience, the suppression list is where most workflows break down - it lives in a spreadsheet on someone's desktop instead of inside the CRM. We've seen teams get caught out by this exact scenario: a rep leaves, their local file goes with them, and the replacement starts dialing numbers that should've been suppressed months ago.

If your CRM setup is messy, start by tightening your contact records and ownership rules (see 12 Best Contact Management Software in 2026).

4. Verify and Refresh Contact Data

Stale numbers mean misdials. Misdials mean wrong-party contacts. Wrong-party contacts mean complaints to the ICO. Prospeo's 7-day data refresh cycle and 98% verified email accuracy keep outbound lists current, reducing the avoidable complaints that trigger investigations. With 125M+ verified mobile numbers and real-time verification, you're dialing numbers that actually belong to the person you intend to reach.

If you're also running cold email alongside calls, align your list hygiene and verification process across channels (see Cold Email Marketing in 2026).

5. Use a Compliant Script

Identify your organisation within the first few seconds. Display a real callback number. Handle opt-outs immediately and log them.

If your reps need a tighter structure for openers and objection handling, build a repeatable cold calling system and keep talk tracks consistent across the team.

6. Log Everything

TPS/CTPS screening timestamps. Objection timestamps. Consent proof for automated calls. Caller ID used. Script version. If you can't reconstruct what happened on any given call, you can't defend it. Sales dialer compliance depends on this audit trail - without it, even a well-intentioned team looks indistinguishable from a bad actor during an investigation.

Separately, Ofcom enforces rules on abandoned and silent calls from predictive dialers - a different but related compliance risk worth reviewing if you use auto-dial technology. If you're evaluating dialers, compare options that support better logging and caller ID controls (see 15 Best SDR Tools for 2026).

The teams that get fined aren't running rogue operations. They're running normal outbound with gaps in their documentation. This workflow takes maybe 30 minutes to set up and seconds per campaign to maintain. The alternative is explaining to the ICO why you can't produce a screening log.

Skip automated calls entirely if your average deal size is under £5K. You probably can't afford the compliance overhead. Stick to live calls with proper TPS screening - the consent requirements for automated dialing are a legal minefield that only makes economic sense at scale. If you're new to outbound, start with the fundamentals in Cold Calling for Beginners.

Prospeo

The ICO doesn't care that you meant to be compliant - they care what you can prove. Prospeo gives you 50+ data points per contact, including company type and subscriber status, so your team can distinguish sole traders from corporate subscribers before the first ring. At $0.01 per email and 30% mobile pickup rates, accurate data costs less than a single penalty notice.

Build PECR-ready call lists in minutes, not hours.

FAQ

Do TPS rules cover AI and robot calls?

No. TPS/CTPS screening applies only to live marketing calls. Automated or recorded calls, including AI "avatar" calls, fall under Reg 19 and require prior specific consent regardless of TPS status. Report suspected robo calls directly to the ICO, not through TPS complaint forms.

Does PECR apply to B2B cold calls?

Yes. Screen against both CTPS and TPS before making B2B calls. Sole traders and certain partnerships count as individual subscribers, giving them the same protections as consumers. Don't assume a business number is safe without screening first.

How often must we screen against TPS/CTPS?

At least every 28 days, with the screening date logged per campaign. Numbers get added to TPS/CTPS regularly, so a list screened two months ago is already stale and puts you at enforcement risk.

Consent must be freely given, specific, informed, and must explicitly name automated or recorded calls. A general marketing opt-in doesn't qualify. Use language like: "We may contact you using pre-recorded or automated voice messages about [topic]."

How can we keep contact data accurate for compliance?

Use a data provider with frequent refresh cycles and pair verified data with TPS/CTPS screening. Together, these eliminate the two biggest sources of avoidable enforcement risk: stale numbers generating misdials and unscreened numbers generating complaints.

B2B Data Platform

Verified data. Real conversations.Predictable pipeline.

Build targeted lead lists, find verified emails & direct dials, and export to your outreach tools. Self-serve, no contracts.

  • Build targeted lists with 30+ search filters
  • Find verified emails & mobile numbers instantly
  • Export straight to your CRM or outreach tool
  • Free trial — 100 credits/mo, no credit card
Create Free Account100 free credits/mo · No credit card
300M+
Profiles
98%
Email Accuracy
125M+
Mobiles
~$0.01
Per Email