What does PECR Regulation 21 actually say?
The Privacy and Electronic Communications Regulations 2003 (PECR) implement the EU's ePrivacy Directive into UK law and sit alongside UK GDPR. Regulation 21 is the specific provision that controls unsolicited direct-marketing telephone calls. The rule is tightly worded: a caller must not make an unsolicited call for direct-marketing purposes to a subscriber who has registered a number on the TPS, or who has previously notified the caller that such calls are unwelcome, unless the subscriber has given specific prior consent to receive marketing calls from that caller.
Two conditions trigger the prohibition. First, the subscriber must be registered on TPS at the time of the call. Second, the call must be unsolicited, meaning initiated by the caller without a prior request from the individual. A call placed in response to someone submitting an enquiry form is not unsolicited in the ordinary sense, though other requirements still apply.
The phrase "direct marketing purposes" is broad. It covers calls that promote products, services, or business opportunities, as well as calls that invite someone to request further information or a callback. A call that would strike an ordinary person as a sales pitch falls within Regulation 21, even if the caller frames it as a "survey" or "courtesy check".
Key term: subscriber vs user
PECR distinguishes between the subscriber (the person or organisation contracted with the telephone provider) and the user (whoever answers). TPS registration applies to the subscriber. If a number is registered by the account holder, all calls to that number are covered, regardless of who picks up.
TPS vs CTPS: what is the difference?
The Telephone Preference Service covers individual consumers at residential and personal mobile numbers. The Corporate Telephone Preference Service (CTPS) extends the same protection to businesses: any UK company, partnership, limited liability partnership, or other corporate body can register its numbers on CTPS to opt out of unsolicited B2B marketing calls.
Sole traders occupy an unusual position. Because a sole trader is legally the same person as their business, their numbers are covered by TPS, not CTPS. A plumber operating as John Smith (sole trader) registers on TPS, not CTPS. A plumbing company registered at Companies House registers on CTPS.
In practice, many B2B callers focus their suppression efforts on TPS and neglect CTPS, assuming business numbers are fair game. That assumption is wrong. The ICO's enforcement guidance is clear: calling a CTPS-registered number without consent is an equal breach of Regulation 21.
| Feature | TPS (Telephone Preference Service) | CTPS (Corporate Telephone Preference Service) |
|---|---|---|
| Who can register | Individual consumers; sole traders | Companies, partnerships, LLPs, other corporate bodies |
| Numbers covered | Residential landlines, personal mobiles | Business landlines and direct dials registered by the organisation |
| Legal basis | PECR Regulation 21 | PECR Regulation 21 |
| 28-day wash rule | Yes | Yes |
| Consent override available | Yes, if consent meets PECR/UK GDPR standard | Yes, same consent standard |
| Maximum ICO fine | £500,000 | £500,000 |
| Administered by | CTPS Services Ltd (under ICO oversight) | CTPS Services Ltd (under ICO oversight) |
What is the 28-day wash rule?
PECR does not state a fixed wash interval in its text, but the ICO's guidance is explicit: you must not call a number without having checked it against the TPS register within the previous 28 days. The purpose is straightforward. New opt-outs are processed on an ongoing basis, and a number that was clean on 1 April could appear on the register by 15 April. The 28-day window limits the lag between a person registering and callers stopping.
For organisations running continuous or rolling campaigns, this matters a great deal. A call centre dialling from a fixed list month after month cannot run a single wash at the start of the year and consider itself compliant. Each pass through the list requires a fresh wash check, timed within 28 days of the calls being made.
Some data suppliers provide pre-washed files and state the wash date on the data schedule. That wash date is the clock that matters. If you receive a file washed on 1 May and have not started calling by 29 May, you need a re-wash before you begin. In our experience, buyers who treat the wash as a one-off admin task rather than a rolling operational obligation account for the majority of inadvertent TPS breaches we see at the procurement stage.
Common mistake: assuming the supplier's wash is permanent
A data file described as "TPS-washed" reflects the register at the point the supplier ran the check. The liability for re-washing before calling sits with you as the caller, not the supplier. Check the wash date on your data schedule and set a calendar reminder 28 days out.
Do TPS rules apply to mobile numbers?
Yes, unambiguously. TPS registration applies to mobile numbers where those numbers are used for personal or consumer purposes. The ICO has confirmed this position repeatedly in enforcement notices and guidance documents. Callers who assume that dialling a mobile is safer than dialling a registered landline are mistaken: the ICO treats both identically under PECR.
Where this creates practical complexity is in B2B data. A direct mobile number for a business contact may be registered on TPS if the individual uses that mobile partly or wholly as a personal number. If you are calling business contacts on mobile numbers supplied in a B2B data file, you still need to suppress against TPS for those mobiles. The fact that you are calling someone in their professional capacity does not exempt the call from TPS rules.
The position is slightly more nuanced for CTPS: a mobile number must have been explicitly registered on CTPS by the corporate subscriber to be covered, and most organisations register only their landlines. But TPS covers any personal mobile the contact has registered in their own name.
When does consent override a TPS registration?
PECR Regulation 21 permits calls to TPS-registered numbers where the subscriber has given specific prior consent. That sounds simple. In practice, the quality of consent is everything.
The consent must meet the standard required under UK GDPR: freely given, specific, informed, and unambiguous. For telemarketing, "specific" means the person consented to receiving marketing calls from your organisation (or a clearly identified category of organisations), not merely to receiving marketing in general. A checkbox that says "I agree to be contacted by our partners" is almost certainly insufficient if the caller is not named or unambiguously described.
There are three further requirements worth noting. The consent must have been obtained before the call is made, not retroactively. It must be recorded so you can demonstrate it if challenged. And it cannot have been withdrawn: if someone has registered on TPS after giving consent to you, that subsequent registration is a signal the person has changed their mind, and you should treat their consent as revoked.
A warm call (following up on a quote request, an inquiry form submission, or a previous commercial relationship) generally does not require separate TPS-consent analysis because those calls are not unsolicited in the Regulation 21 sense. The call was, in effect, requested or expected. Cold calls from purchased prospect data, however, require either a valid consent record attached to the number or confirmation that the number is not TPS-registered.
Cold calls vs warm calls: a practical distinction
The cold/warm distinction matters for compliance planning, even if PECR does not use those exact terms. A cold call is any outbound call to a prospect who has had no prior relationship with your organisation and who has not made an enquiry. A warm call is a follow-up where some prior contact, request, or commercial relationship exists.
For cold calling, TPS suppression is mandatory with no exceptions unless you hold specific consent. For warm calls, the "unsolicited" criterion in Regulation 21 is typically not met, provided the call directly follows the qualifying interaction and does not extend significantly beyond what the prospect would have anticipated. "You requested a quote yesterday" is warm; "you bought from us three years ago" is cold for Regulation 21 purposes.
What must happen during a call, and what is the opt-out requirement?
PECR Regulation 21 also governs behaviour during the call itself. The calling organisation must identify itself clearly and must provide a contact address or freephone number at which the individual can register their objection to receiving further calls. This is sometimes called the in-call opt-out obligation.
Failing to provide that information during the call is itself a breach, separate from the question of whether the number was TPS-registered. Callers who mask their CLI (calling line identification) risk additional ICO attention: using a false or withheld CLI to conduct direct-marketing calls is a separate PECR offence under Regulation 19 and is treated seriously.
When a prospect objects to future calls during a call, that objection must be recorded and honoured immediately. Adding them to your internal suppression list is required; do not wait for their TPS registration to process.
ICO enforcement: what penalties apply?
The Information Commissioner's Office (ICO) can issue monetary penalty notices of up to £500,000 under PECR. In practice, fines are calibrated to the scale of the breach, whether it was deliberate or negligent, and whether the organisation cooperated with the investigation.
The ICO has issued substantial fines across a range of sectors. Claims management firms, home improvement companies, pension advisory businesses, and financial services firms have all featured in enforcement notices in the past decade. Fines in the £80,000 to £400,000 range are not unusual for mid-sized organisations that ran TPS-non-compliant campaigns at scale.
Director liability is a significant pressure point. The ICO can pursue directors personally where the breach resulted from their consent, connivance, or neglect. A £150,000 penalty against a limited company is damaging; the same penalty landing on a director personally can be ruinous. The ICO has issued director fines running into six figures in high-profile cases involving deliberate non-compliance.
The ICO's investigatory powers under PECR include the right to require organisations to produce records (including consent evidence, call logs, and data-purchase invoices), interview staff, and inspect systems. Obstructing an investigation or failing to respond to a statutory information notice is a separate criminal offence.
ICO enforcement example pattern
A common pattern in ICO enforcement notices: a company purchases a large consumer file, fails to TPS-wash it (or uses a wash older than 28 days), receives a significant volume of complaints from recipients who were registered, and is then investigated. The fine reflects both the volume of unlawful calls and the failure to implement adequate compliance procedures, which the ICO treats as an aggravating factor.
How does PECR fit with UK GDPR for telemarketing?
PECR and UK GDPR operate alongside each other. PECR provides the specific communications rule (no calls to TPS unless consent); UK GDPR provides the overarching data-processing framework (you need a lawful basis to hold and use the telephone number in the first place).
For B2C telemarketing, the typical combination is: consent as the lawful basis under Article 6(1)(a) UK GDPR for processing the personal data, plus PECR consent for the call itself. These can come from the same consent event if the consent notice is properly drafted. See our companion article on PECR rules for UK marketers for the full framework across channels.
For B2B telemarketing, the combination shifts. Processing the contact data under legitimate interests under Article 6(1)(f) UK GDPR is standard practice (after completing a Legitimate Interests Assessment). For the call itself, if the number is not CTPS-registered, no PECR consent is required. The call is not to a "subscriber who has notified" you of an objection, so Regulation 21 does not activate. However, if the individual answers and objects during the call, you must cease and record the opt-out. For more on the TPS and MPS landscape across channels, see our article on TPS, MPS, and CTPS explained.
UK telemarketing rules at a glance
| Rule | Requirement | Consequence of breach |
|---|---|---|
| TPS suppression | Wash within 28 days before calling | ICO fine up to £500,000 |
| CTPS suppression | Wash business numbers within 28 days before calling | ICO fine up to £500,000 |
| Mobile TPS | Personal mobiles on TPS are covered equally | ICO fine up to £500,000 |
| Consent quality | Specific, freely given, informed, unambiguous, recorded | Invalid consent does not override TPS |
| CLI presentation | Calling line identification must be accurate and not withheld | Separate PECR offence under Regulation 19 |
| In-call identification | Caller must identify organisation and provide contact details | Breach of PECR even if number is not TPS-registered |
| In-call opt-out | Prospect's objection must be recorded and honoured immediately | Subsequent calls become unlawful |
| Director liability | Personal fines if breach results from director consent, connivance, or neglect | Personal monetary penalty notice |