PECR Compliance for AI Cold Calling: The Complete Guide
AI cold calling is legal in the UK—but only if you follow the rules. Here's exactly what you need to know to avoid £500,000 fines.
What Is PECR and Why Should You Care?
PECR (Privacy and Electronic Communications Regulations 2003) governs electronic marketing in the UK—including phone calls, emails, and texts. If you're making sales calls, AI or otherwise, PECR applies to you.
The ICO (Information Commissioner's Office) enforces PECR with fines up to £500,000. In 2024 alone, they issued over £2 million in fines for cold calling violations.
Getting this wrong isn't just expensive—it can destroy your business reputation overnight.
The Three Types of Marketing Calls Under PECR
1. Live Calls (Human or AI-Assisted)
A call where a real conversation happens, even if AI is involved in parts of it.
- B2B: Generally allowed without consent, but must screen against CTPS
- B2C: Allowed without consent, but must screen against TPS
- Must: Identify caller, state purpose, offer opt-out
2. Automated Calls (Pre-Recorded Messages)
Calls that play a recording with no live interaction.
- B2B and B2C: Require prior consent (opt-in)
- Very restricted—most robocall-style marketing is illegal without consent
3. AI Voice Agents (The Grey Area)
AI that holds real conversations—not pre-recorded, but not human either.
- ICO hasn't issued specific guidance yet
- Current interpretation: If AI can converse dynamically and hand off to humans, treated more like "live" calls
- Best practice: Treat as live calls + implement human handoff capability
TPS and CTPS: The Do-Not-Call Registers
TPS (Telephone Preference Service)
The TPS is a register of individuals who don't want unsolicited sales calls.
- Over 5 million UK numbers registered
- You must screen against TPS before calling consumers
- Updated monthly—your data must be current
- Calling a TPS number = PECR violation
CTPS (Corporate TPS)
The business equivalent—companies that don't want unsolicited B2B calls.
- Must screen B2B lists against CTPS
- Different register from TPS—check both if calling mobile numbers
How to Screen
- Subscribe to TPS/CTPS checking service (from £150/year)
- Upload your call list
- Receive cleaned list with TPS/CTPS numbers removed
- Screen monthly—numbers are added constantly
The Consent Question: When Do You Need It?
When You DON'T Need Consent
- Live B2B calls to numbers NOT on CTPS
- Live B2C calls to numbers NOT on TPS
- Calls to existing customers about similar products (soft opt-in)
- AI-assisted calls with human handoff capability (current interpretation)
When You DO Need Consent
- Fully automated/pre-recorded marketing calls
- Calls to TPS/CTPS registered numbers
- Marketing texts and emails (separate PECR rules)
What Counts as Valid Consent?
- Freely given (not bundled with T&Cs)
- Specific (they know what they're consenting to)
- Informed (clear explanation of how data will be used)
- Unambiguous (positive action, not pre-ticked boxes)
- Recorded (you can prove they consented)
PECR Compliance Checklist for AI Cold Calling
Before You Call
- ☐ Screen all numbers against TPS (consumer)
- ☐ Screen all numbers against CTPS (business)
- ☐ Verify your data source is GDPR compliant
- ☐ Document your lawful basis for calling
- ☐ Check numbers haven't previously opted out
- ☐ Validate number format and remove invalid numbers
During the Call
- ☐ Identify your company name clearly
- ☐ State the purpose of the call
- ☐ Provide contact details if requested
- ☐ Offer opt-out option
- ☐ Respect "not interested" immediately
- ☐ Have human handoff capability
- ☐ Don't call before 8am or after 9pm
After the Call
- ☐ Record call outcome
- ☐ Log any opt-out requests immediately
- ☐ Add opt-outs to suppression list
- ☐ Update CRM with call data
- ☐ Store call recordings securely (if applicable)
Ongoing
- ☐ Re-screen lists against TPS/CTPS monthly
- ☐ Maintain suppression list in perpetuity
- ☐ Keep audit trail for 6+ years
- ☐ Train team on compliance requirements
- ☐ Review ICO guidance updates
Common PECR Violations (And How to Avoid Them)
1. Calling TPS Numbers
Fine: Up to £500,000
Solution: Screen every list against TPS before calling. Re-screen monthly. Use automated TPS checking in your dialler.
2. Not Identifying Yourself
Fine: Up to £500,000
Solution: Your AI must state company name within first 10 seconds. "Hi, this is [Name] calling from [Company]..."
3. Ignoring Opt-Out Requests
Fine: Up to £500,000
Solution: Implement instant suppression. When someone says "don't call again," they're added to your do-not-call list immediately and permanently.
4. Calling Outside Reasonable Hours
Fine: Reputational damage + potential complaint
Solution: Restrict calling to 8am-9pm. Consider industry norms—some B2B sectors expect 9am-6pm only.
5. Using Purchased Lists Without Due Diligence
Fine: Up to £500,000
Solution: Verify your data supplier's compliance. Ask: Where did they get consent? How recent is the data? Is it TPS screened?
AI-Specific Compliance Considerations
Does AI Need to Disclose It's AI?
Current UK law doesn't require disclosure that the caller is AI. However:
- If asked "Am I speaking to a robot?", your AI should answer truthfully
- Misleading consumers about the nature of the call could breach consumer protection rules
- Some brands choose to disclose AI for transparency reasons
Human Handoff Requirements
While not explicitly required by PECR, human handoff capability:
- Supports the argument that calls are "live" not "automated"
- Provides better customer experience
- Reduces regulatory risk as AI guidance evolves
Recording and Data Storage
- Call recordings are personal data under GDPR
- Store securely with appropriate retention periods
- Delete when no longer needed for compliance/legitimate purpose
- Be prepared for Subject Access Requests
What Happens If You Get Caught?
ICO Enforcement Process
- Complaint: Someone reports your call to the ICO
- Investigation: ICO requests your call records and compliance documentation
- Assessment: ICO determines if PECR was breached
- Enforcement: Warning, enforcement notice, or monetary penalty
Penalties
- Monetary Penalty Notice: Up to £500,000
- Enforcement Notice: Legally binding order to stop
- Prosecution: For serious/repeated offences
- Naming and shaming: ICO publishes enforcement actions
Recent Examples
- Home improvement company: £200,000 fine for TPS violations
- Energy supplier: £150,000 fine for automated marketing calls without consent
- Claims management company: £350,000 fine for persistent cold calling
How AI Sales Voice Keeps You Compliant
We built compliance into the core of our platform:
Automatic TPS/CTPS Screening
Every number is checked against TPS and CTPS before the AI dials. Non-compliant numbers are automatically blocked.
Instant Opt-Out Memory
When someone says "don't call me again," they're added to your suppression list immediately. Across all campaigns. Forever.
Bulletproof Audit Trail
Every call is logged with timestamp, outcome, and recording (if enabled). If the ICO comes knocking, you have everything you need.
Compliant Scripts
Our script builder ensures your AI identifies your company, states the purpose, and offers opt-out—automatically.
Time Restrictions
Built-in calling windows prevent calls outside 8am-9pm. Set custom hours for your industry.
Human Handoff
Transfer to a live agent at any point—supporting the "live call" interpretation of PECR.
PECR vs GDPR: What's the Difference?
| Aspect | PECR | GDPR |
|---|---|---|
| Governs | Electronic communications (calls, emails, texts) | Personal data processing |
| Applies to | Marketing communications | All personal data handling |
| Consent basis | Specific rules per channel | One of six lawful bases |
| Max fine | £500,000 | £17.5M or 4% of turnover |
| Enforcer | ICO | ICO |
Key point: You need to comply with BOTH. PECR governs whether you can call; GDPR governs how you handle the data from those calls.
Stay Compliant While Scaling Outreach
AI Sales Voice has TPS/CTPS screening, audit trails, and opt-out management built in. Make thousands of calls without compliance risk.
Start Your Compliant AI Campaign →