What does PECR Regulation 21 actually say?
The Privacy and Electronic Communications Regulations 2003 (PECR) implement the EU's ePrivacy Directive in UK law and sit alongside UK GDPR as the primary framework for electronic marketing. Regulation 21 is the provision that governs live voice calls to individuals. In plain English, it does three things.
First, it prohibits unsolicited marketing calls to any subscriber who has registered on the TPS or who has previously told you they do not want calls. Second, it requires callers to identify themselves and the organisation they represent at the start of every call. Third, it prohibits the use of a calling line identity (CLI) that is meaningless or non-dialable, meaning you cannot mask your number so the consumer cannot call you back.
The word "unsolicited" matters. A call is not unsolicited where the consumer has given prior consent to receive calls. That consent pathway is the legal mechanism through which PECR-compliant consumer telemarketing to TPS numbers is possible.
Does PECR sit above or below UK GDPR?
PECR and UK GDPR work in parallel rather than in hierarchy. PECR sets the conditions for making the call; UK GDPR governs how you handle the personal data involved in making it. You need a lawful basis under UK GDPR Article 6 for processing telephone numbers in the first place, and then separately you must satisfy Regulation 21's conditions before dialling. Consent under Article 6(1)(a) and PECR consent are often gathered together in practice, but they serve different legal functions. A full treatment of PECR's scope is in our article on PECR rules for marketers in the UK.
TPS coverage: how many numbers are registered?
The TPS is operated by the Direct Marketing Association (DMA) under licence from Ofcom. As of 2025, approximately 25 million UK consumer numbers are registered, covering both residential landlines and personal mobile numbers. The register is updated monthly, and callers are required to screen against a version of the register no older than 28 days at the time of the call.
That 25 million figure carries a practical implication. If you buy or build a raw consumer telephone file without TPS suppression, you should assume that a significant share of the numbers on it are unlawful to call. The exact proportion varies by demographic: retired households, for instance, register at higher rates than young adults on pre-pay mobiles. In our experience with consumer telephone data, TPS coverage across a general UK consumer file tends to run between 40% and 65% depending on the age profile of the records.
Washing a dial list against TPS before a campaign is not optional. It is a legal requirement. Organisations that call registered numbers at scale face ICO enforcement, even if the calling was inadvertent.
What about the Corporate Telephone Preference Service?
The Corporate Telephone Preference Service (CTPS) registers business telephone numbers, not consumer numbers. If you are calling consumers at their personal or home number, only the TPS register is relevant. CTPS matters for B2B calling to company switchboards and direct-dial business lines. The rules for business-to-business telemarketing under PECR are distinct and generally less restrictive. For consumer campaigns, focus on TPS only.
When is it lawful to call a TPS-registered consumer?
There is one pathway: prior explicit consent to receive calls from your specific organisation. The word "specific" carries considerable weight here.
Generic consent language does not satisfy the requirement. A box that reads "I agree to receive marketing communications from selected third parties" or similar does not give your organisation the right to call that consumer. The consent must name or identify the data controller whose calls the consumer is agreeing to receive, or at minimum describe the category of organisation with sufficient precision that the consumer could reasonably have expected a call from you.
The ICO's enforcement history on this point is instructive. Several energy comparison sites, claims management firms, and home-improvement lead generators have been fined specifically because their consent language was too vague to constitute valid PECR consent, even though consumers had technically ticked a marketing box during a form-fill.
How recent does consent need to be?
PECR does not specify an expiry date for consent. However, the ICO's guidance on UK GDPR requires that consent is meaningful at the time of use. In practice, most data protection professionals treat consumer telephone consent as reliable for 12 months from the date of capture, with consent older than 24 months presenting material compliance risk unless the consumer has had an intervening positive interaction with the brand. The DMA's Consumer Data Guidance aligns broadly with this view.
SortedIQ's consumer telephone file is refreshed on a rolling basis. Records in the file have opted in to third-party marketing via consented channels (consumer surveys, prize-draw entries, lifestyle questionnaires, and similar), and each record carries a consent date that allows buyers to filter by recency before building a dial list.
What is and is not allowed: a quick-reference table
The table below summarises the most common consumer telemarketing scenarios and their compliance status under PECR Regulation 21 and UK GDPR. Read the "Lawful?" column in the context of the conditions stated; the answer changes if those conditions are not met.
| Scenario | Lawful? | Conditions required |
|---|---|---|
| Live call to consumer whose number is NOT on TPS | Yes (with conditions) | Valid UK GDPR lawful basis; caller identifies organisation at start of call; respect subsequent opt-outs; CLI must be live and dialable |
| Live call to consumer whose number IS on TPS | Only with consent | Prior explicit consent specific to your organisation; consent must be freely given, informed, and recent; keep consent records |
| Automated call (recorded message) to any consumer number | Only with consent | Explicit prior consent required regardless of TPS status; no "soft opt-in" exception; higher bar than live calls |
| Call to consumer who has previously told you to stop calling | No | Prohibited. An in-call or written opt-out must be honoured immediately and permanently. The consumer does not need to register with TPS for this to apply. |
| Call withholding CLI (number withheld) | No | PECR prohibits marketing calls where the calling line is withheld or set to a non-dialable number. Must present a real, returnable number. |
| Call to consumer using opt-in data, number happens to be TPS-registered | Yes (with valid consent) | The consent on the record overrides the TPS registration. You must be able to demonstrate the consent is organisation-specific (or sufficiently described) and recent. |
| Silent calls (call connects but no agent available) | Strictly limited | Ofcom's persistent misuse rules allow no more than 3% abandoned call rate per campaign per day. Silent calls must play an information message. ICO and Ofcom both have enforcement powers here. |
Identification requirements: what you must say at the start of every call
PECR Regulation 21(2)(b) requires the caller to identify, at the outset of the call, the name of the person or the organisation on whose behalf the call is made. This requirement is absolute. It applies to every live marketing call, regardless of TPS status or consent status.
In practice, this means your agents' opening script must include the organisation name before launching into the pitch. "Good morning, I'm calling from [Organisation Name]..." is compliant. "Good morning, I'm calling about your energy bills..." is not, if the organisation name comes only later or not at all.
If the consumer asks for a contact address or a freephone number where they can request that no further calls be made, you must provide one during the call. You cannot decline or defer this request. Failure to provide a contact route when asked is itself a separate breach of PECR.
In-call opt-outs: what happens after the consumer says "take me off your list"?
An in-call opt-out has immediate effect. The consumer does not need to put anything in writing, register with TPS, or wait for a confirmation. The organisation must record the opt-out and suppress that number from all future calling activity. There is no grace period. Calling the same number again after an opt-out has been expressed, even accidentally through a re-purchased list, is a PECR breach.
This is one reason why suppression file management matters as much as list selection. Before each campaign, the dial list should be washed against TPS and against your own internal do-not-call register (sometimes called an "organisational suppression file").
Automated calls, robocalls, and silent calls
Automated calling systems (ACS) deliver a pre-recorded message to the consumer rather than connecting them to a live agent. Under PECR Regulation 19, using an ACS for direct marketing to individuals requires prior explicit consent, full stop. There is no TPS-exemption route, no soft opt-in, and no "existing customer" exception. If the consumer has not specifically consented to receive automated calls from your organisation, you cannot send one.
In the UK, this distinction between live and automated calls trips up a number of campaigns, particularly in the insurance, claims, and home-services sectors. A company may hold valid PECR consent for live calls but not for automated messages. Those are treated as separate consent grants.
Silent calls and Ofcom's persistent misuse rules
A silent call occurs when a dialler connects a call but no agent is immediately available, so the consumer hears silence (or a brief recorded message) rather than a person. Ofcom's persistent misuse rules require that abandoned call rates stay below 3% of live calls per campaign per day. When that threshold is exceeded, or when silent calls are used deliberately as an intimidation tactic, Ofcom can issue a "stop" direction and, in serious cases, refer the matter to the ICO. Both regulators have fined organisations for high-volume silent calling campaigns targeting vulnerable consumers.
ICO enforcement: what the fines look like in practice
The ICO has the power to issue monetary penalties of up to £500,000 under PECR. The threshold for a penalty is that the breach was serious and the organisation either knew, or ought to have known, that it risked contravening PECR. In practice, the ICO focuses enforcement on volume callers and repeat offenders rather than on single-incident mistakes by small organisations.
Three enforcement patterns are worth noting for consumer telemarketing specifically.
First, invalid consent. Several lead-generation businesses have received six-figure fines after the ICO found that the consent language used on their web forms did not meet the PECR standard. The investigation typically starts with consumer complaints logged via the TPS or ICO's own reporting portal. A volume of complaints about the same caller triggers a formal investigation, at which point the organisation must produce evidence of valid consent for every number called.
Second, TPS failures at scale. Organisations running outbound campaigns of hundreds of thousands of calls per month that fail to screen against a current TPS file face automatic enforcement. The ICO has said publicly that "we do not accept that an organisation did not know about TPS" as a defence.
Third, CLI manipulation. Presenting false or misleading caller ID information to make a campaign appear to originate from a local number or a known brand is both a PECR breach and potentially fraudulent under the Fraud Act 2006. The ICO has referred several such cases to law enforcement.
How opt-in consumer data fits into a compliant campaign
For consumer telephone marketing, the safest and most scalable compliance route is to start with data where the consent was gathered at source, consent to third-party calls is clearly recorded, and the file has been screened against TPS before you receive it.
SortedIQ's consumer telephone file is fully opt-in under UK GDPR and PECR consent. Records are sourced from consented channels, including consumer surveys and lifestyle questionnaires, where individuals have explicitly agreed to receive marketing calls from third-party companies. Each record carries a consent date. The file is washed against TPS on a regular cycle, and the suppressed records are flagged rather than deleted, so buyers can see the full universe of matched contacts and decide whether their organisation-specific consent justifies calling TPS-registered numbers within it.
You can review how the consumer file is priced and what segment counts look like in our article on consumer data pricing in the UK.
One practical note: even with a fully consented file, you remain responsible for maintaining your own organisational suppression file and honouring in-campaign opt-outs before any subsequent call run. The consent on the record grants you the right to make the first call. What you do during and after that call determines your ongoing compliance position.