PECR for UK outbound sales in 2026: what you can and cannot do

The trap is UK GDPR. PECR's exemption is about the corporate subscriber. UK GDPR is about the data subject. Sending an email to john.smith@bigco.com is sending an email to BigCo (corporate subscriber, PECR exempt) and to John Smith (a named individual, personal data, UK GDPR engaged). You still need:

• A lawful basis under UK GDPR for processing John Smith's email address. Legitimate interest is now an explicitly recognised lawful basis for direct marketing under DUAA, but you have to document a Legitimate Interests Assessment (LIA) the first time you start a programme; it does not have to be repeated per email.
• A privacy notice in your first email or linked from it.
• Honour data subject rights: access, erasure, objection. An "unsubscribe" link satisfies the routine objection path; you still have to handle access and erasure requests on demand.

Two further constraints PECR-exempt email programmes still trip on:

• Sole traders and unincorporated partnerships outside Scotland are individual subscribers under PECR. The corporate exemption does not apply. Email to victoria@anindependentconsultant.com without prior consent is a PECR breach if she trades as a sole trader.
• The named-individual rule means a "buy the list, blast it" approach is not safe even when 100% of recipients are at limited companies. The companies are PECR-exempt. The named individuals on the list are still UK GDPR data subjects, with all the rights that brings.

What the DUAA actually changed

The headline is that direct marketing is now a "recognised legitimate interest" in UK GDPR. In practice:

• You can rely on legitimate interest for B2B prospect contact lists with less paperwork than before, subject to a Legitimate Interests Assessment that documents the necessity, the proportionality, and the balance against the data subject's rights.
• It does NOT relax PECR. Email to corporate subscribers was already permitted; phone rules and TPS screening are unchanged.
• AI and profiling activities for marketing can proceed without explicit consent where the profiling does not have a "significant effect" on the individual. What "significant effect" means in practice will be tested through ICO casework over the next 18 months.

The ICO's full updated direct-marketing and PECR guidance is due in spring 2026. Until it lands, the existing ICO pages remain authoritative.

The pre-call / pre-email checklist

Before any UK outbound campaign:

• List sourced from a provider with a documented compliance position; written confirmation of the legal basis under which the data was collected.
• TPS screening run within the last 28 days for any list including UK numbers.
• CTPS (Corporate TPS) screening for any list including business numbers, where you have CTPS registration entitlement.
• Sole-trader and partnership records flagged and excluded from email-without-consent campaigns.
• Legitimate Interests Assessment documented for the campaign (one per campaign type, not one per send).
• First email or first call discloses identity, organisation, and purpose, plus an opt-out mechanism.
• Suppression list updated within 28 days of any opt-out request, applied across all campaigns.
• Privacy notice accessible from your domain, covering prospecting use of contact data.
• No automated dialling without prior, specific, named consent.

When in doubt

PECR fines for unsolicited marketing calls in the past two years have ranged from 90,000 to 300,000 pounds per breach pattern. The cost of being wrong materially exceeds the cost of being conservative.

This is editorial coverage, not legal advice. Consult counsel for your jurisdiction and your specific data flows.