Explained / Other / 1 May 2026

PECR for UK outbound sales in 2026: what you can and cannot do

A practitioner's guide to the four UK rule sources that govern B2B outbound calling and email in 2026, what changed under the Data (Use and Access) Act 2025, and the trap rules sales operations teams keep getting fined for.

Email to a UK limited company is allowed under PECR's corporate subscriber exemption, but the named contact at that company is still personal data and triggers UK GDPR; phone calls always require TPS screening and consent for automated dialling.

If you sell B2B in the UK, four rule sources govern your outbound. Most teams know one or two and assume they cover everything. The gap is where the fines come from.

Here is the picture as it stands in May 2026, after stage three of the Data (Use and Access) Act 2025 has taken effect and ahead of the ICO's refreshed direct-marketing guidance due in spring 2026.

The four rule sources

  1. PECR (Privacy and Electronic Communications Regulations 2003, as amended). Governs how you contact people electronically: phone, email, SMS, automated calls.
  2. UK GDPR (UK General Data Protection Regulation). Governs how you process personal data, including a named individual at a corporate buyer.
  3. TPS (Telephone Preference Service). The statutory register of UK phone numbers that have opted out of unsolicited sales calls. Calling a TPS-registered number without prior consent is a PECR breach.
  4. DUAA (Data (Use and Access) Act 2025). Royal Assent 19 June 2025; the marketing-relevant provisions came into effect through stage three implementation in late 2025 and early 2026. It does not replace PECR. It clarifies UK GDPR around legitimate interest.

Anything outbound in the UK has to clear all four.

Phone calls: the highest-fine zone

The corporate-vs-individual distinction does not save you on the phone. PECR's call rules apply equally to corporate and individual subscribers. Two specific tripwires:

  • TPS screening. Before any unsolicited marketing call to a UK number, check the TPS register. Not screening is the single most enforced PECR breach. In March 2026, a Birmingham firm called TMAC Ltd was fined 100,000 pounds by the ICO for making over 260,000 unsolicited calls to TPS-registered numbers between February and September 2024.
  • Automated calls. Pre-recorded or auto-dialled marketing calls require prior, specific, named consent. In March 2025, a UK compensation company was fined 90,000 pounds for 95,277 spam calls where consent had been collected by a third-party data supplier whose consent statement did not name the calling organisation. The "we bought the list, the broker had consent" defence does not work.

Practical implication: live human-dialled calls to a non-TPS-registered number, with a clear opening identifying yourself, your organisation, and the purpose of the call, are within the rules. Anything automated, or anything not TPS-screened, is not.

Email: the corporate subscriber exemption, with one trap

PECR's email rule (regulation 22) does not apply to corporate subscribers. A limited company, an LLP, a Scottish partnership, a public body: all corporate subscribers. You can send them B2B marketing email without prior consent, provided you identify your organisation and include an opt-out mechanism. This is the lawful basis for almost every UK B2B cold email programme.

The trap is UK GDPR. PECR's exemption is about the corporate subscriber. UK GDPR is about the data subject. Sending an email to john.smith@bigco.com is sending an email to BigCo (corporate subscriber, PECR exempt) and to John Smith (a named individual, personal data, UK GDPR engaged). You still need:

  • A lawful basis under UK GDPR for processing John Smith's email address. Legitimate interest is now an explicitly recognised lawful basis for direct marketing under DUAA, but you have to document a Legitimate Interests Assessment (LIA) the first time you start a programme; it does not have to be repeated per email.
  • A privacy notice in your first email or linked from it.
  • Honour data subject rights: access, erasure, objection. An "unsubscribe" link satisfies the routine objection path; you still have to handle access and erasure requests on demand.

Two further constraints PECR-exempt email programmes still trip on:

  • Sole traders and unincorporated partnerships outside Scotland are individual subscribers under PECR. The corporate exemption does not apply. Email to victoria@anindependentconsultant.com without prior consent is a PECR breach if she trades as a sole trader.
  • The named-individual rule means a "buy the list, blast it" approach is not safe even when 100% of recipients are at limited companies. The companies are PECR-exempt. The named individuals on the list are still UK GDPR data subjects, with all the rights that brings.

What the DUAA actually changed

The headline is that direct marketing is now a "recognised legitimate interest" in UK GDPR. In practice:

  • You can rely on legitimate interest for B2B prospect contact lists with less paperwork than before, subject to a Legitimate Interests Assessment that documents the necessity, the proportionality, and the balance against the data subject's rights.
  • It does NOT relax PECR. Email to corporate subscribers was already permitted; phone rules and TPS screening are unchanged.
  • AI and profiling activities for marketing can proceed without explicit consent where the profiling does not have a "significant effect" on the individual. What "significant effect" means in practice will be tested through ICO casework over the next 18 months.

The ICO's full updated direct-marketing and PECR guidance is due in spring 2026. Until it lands, the existing ICO pages remain authoritative.

The pre-call / pre-email checklist

Before any UK outbound campaign:

  • List sourced from a provider with a documented compliance position; written confirmation of the legal basis under which the data was collected.
  • TPS screening run within the last 28 days for any list including UK numbers.
  • CTPS (Corporate TPS) screening for any list including business numbers, where you have CTPS registration entitlement.
  • Sole-trader and partnership records flagged and excluded from email-without-consent campaigns.
  • Legitimate Interests Assessment documented for the campaign (one per campaign type, not one per send).
  • First email or first call discloses identity, organisation, and purpose, plus an opt-out mechanism.
  • Suppression list updated within 28 days of any opt-out request, applied across all campaigns.
  • Privacy notice accessible from your domain, covering prospecting use of contact data.
  • No automated dialling without prior, specific, named consent.

When in doubt

PECR fines for unsolicited marketing calls in the past two years have ranged from 90,000 to 300,000 pounds per breach pattern. The cost of being wrong materially exceeds the cost of being conservative.

This is editorial coverage, not legal advice. Consult counsel for your jurisdiction and your specific data flows.

Source: ICO PECR guidance (https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/business-to-business-marketing/); Data (Use and Access) Act 2025 (https://www.legislation.gov.uk/ukpga/2025/18); ICO enforcement actions March 2025 and March 2026.