Does it record my calls?

Locally only. Transcripts are stored on your Mac. We never upload audio. Deepgram processes the stream in flight then drops it. Anthropic only sees the prospect's last sentence as text — never your voice.

What about the prospect's consent?

You're responsible for the consent rules in your jurisdiction. UK and most US states allow one-party consent. Check before you dial.

Will it work on Zoom / Teams / RingCentral / etc?

Yes — anything that comes through your Mac speakers and mic. We listen to system audio. We don't integrate with the call platform.

For now, yes. Apple Silicon. Windows is on the roadmap once we hit £30k MRR.

What if Claude or Deepgram is down?

The matcher falls back to keyword routing on your script branches. The teleprompter still works. The call still goes out.

Can I write my own scripts?

That's the entire point. The script editor is built into the app. You write the tree once, it runs forever.

What happens after the trial?

It locks. The app stays installed but the panel won't show prompts until you subscribe. Your scripts stay safe.

One click in the app. Your subscription ends at the next renewal. Founding-member price-lock is yours forever as long as you don't cancel.

Do I need consent to cold call a UK business?

It depends on the legal form of the business. PECR Regulation 21 splits subscribers into two classes. Limited Companies, PLCs, and LLPs are Corporate Subscribers and may be called under Legitimate Interest (opt-out via CTPS). Sole Traders and unincorporated Partnerships are Individual Subscribers and require prior opt-in consent before any marketing call. Classification is determined by the legal form of the subscriber line-holder, not the job title of the contact.

What is the difference between TPS and CTPS?

The TPS (Telephone Preference Service) suppresses marketing calls to Individual Subscribers — including Sole Traders and Partnerships, not only residential consumers. The CTPS (Corporate Telephone Preference Service) suppresses marketing calls to Corporate Subscribers that have actively registered. Both are statutory registers under PECR Regulation 26. The required scrubbing window is 28 days from registration before a call to that number becomes a compliance breach.

What is the maximum fine for a UK cold-calling breach?

Following the Data Protection and Digital Information Act 2025, the penalty ceiling for the most serious PECR and UK-GDPR breaches is £17.5 million or 4% of global annual turnover, whichever is higher. In practice, ICO Monetary Penalty Notices issued in 2023-2024 for cold-calling breaches have ranged from £75,000 to £200,000, with the highest fines applied to operators making millions of unsolicited calls or breaching TPS at scale.

What hours can I cold call businesses in the UK?

There is no single statutory dialling window for UK marketing calls. The ICO Direct Marketing Code of Practice 2018 advises calls within 'reasonable hours', which is interpreted in practice as 08:00 to 21:00 for residential and 09:00 to 17:00 local time for B2B. The Ofcom Persistent Misuse Statement of Policy applies separately and governs the pattern of dialler attempts (abandoned calls, silent calls, repeat dials) regardless of the time of day. Three or more abandoned calls to the same number in 24 hours is the practical complaint threshold.

How long do I have to honour a request to stop calling?

Under UK-GDPR Article 21(2), an objection to direct marketing must be honoured within 30 days, and the suppression must propagate across every marketing surface — CRM, dialler, list provider, any downstream channel. The objection should be acknowledged immediately, ideally within one business day. There is no balancing test on a direct-marketing objection; the right is absolute. A repeat call after an objection is the single highest-value claim type in PECR enforcement.

Can I call a previous customer without fresh consent?

Yes, under the soft opt-in exemption in PECR Regulation 22(3), but only if four conditions are met simultaneously: the contact details were obtained in the course of a sale or negotiation, the marketing relates to similar products or services, the recipient was offered a clear opt-out at the point of data collection and at every subsequent contact, and the recipient has not exercised that opt-out. The exemption does not apply to enquiries that did not result in a sale, and it does not apply to materially different product categories.

Does GDPR apply to UK cold calling, or just PECR?

Both apply, in parallel, to every UK cold call. PECR governs the channel — the act of making the call itself. UK-GDPR governs the data behind the call — how the number was obtained, how it is stored, the lawful basis for processing it, and the recipient's data-subject rights. For B2B outbound, the typical UK-GDPR lawful basis is Article 6(1)(f) Legitimate Interest, which requires a documented Legitimate Interest Assessment held on file before the first dial.

AP/COACH · COMPLIANCE · UK COLD-CALLING LAW · 2026

Is cold calling legal in the UK? The complete 2026 compliance playbook.

Yes — B2B cold calling is legal in the United Kingdom under PECR Regulation 21(2), provided the call is to a Corporate Subscriber, the number has been scrubbed against CTPS within the previous 28 days, the caller identifies themselves and the purpose within the opening of the call, the operator holds a documented Legitimate Interest Assessment under UK-GDPR Article 6(1)(f), and the recipient's right to object is honoured within 30 days. Calling Sole Traders or unincorporated Partnerships without prior opt-in consent breaches PECR Regulation 21(4) and is the single most common SaaS-sector compliance failure.

Effective14 May 2026

JurisdictionUnited Kingdom

AuthorAlix Pardoe

CitingPardoe Framework v1.0

Penalty ceiling£17.5m / 4%

PECR versus UK-GDPR: which law does what.

Cold calling in the UK sits at the intersection of two statutes. They do not duplicate each other. PECR governs the act of making contact. UK-GDPR governs the data that makes the contact possible. Every compliant operator runs both stacks in parallel.

Factor	PECR (Reg 21 / Reg 22)	UK-GDPR (Article 6)
Legal focus	The channel — the act of making the call (phone, SMS, email)	The data — how the number was obtained, stored, processed
B2B default position	Opt-out for Corporate Subscribers via CTPS; Opt-in for Individual Subscribers (Sole Traders, unincorporated Partnerships)	Legitimate Interest under Article 6(1)(f) — requires a documented LIA
Permission mechanism	TPS / CTPS register scrub within 28 days of the dial	Article 21 right to object — must be honoured within 30 days
Enforcement body	Information Commissioner's Office (Monetary Penalty Notices)	Information Commissioner's Office, separate track; Article 82 private claims also available
Penalty ceiling (post-DPDI 2025)	£17.5m or 4% of global turnover, whichever higher (was £500k pre-2024)	Same — Article 83 GDPR (UK-GDPR mirrors)
What you must produce on audit	Suppression record (28-day scrub log), dialler abandonment rate, identification disclosure script	Signed and dated LIA, data-source provenance, objection log, retention schedule

The four laws that govern UK cold calling.

No single statute regulates UK cold calling. The compliance picture is the intersection of four, each adding a distinct obligation. Operators who treat any one of them as the whole picture end up in front of the ICO sooner rather than later.

PECR 2003 — the channel rulebook

The Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426. Regulation 21 governs live marketing calls, including the Corporate/Individual Subscriber split and the TPS/CTPS suppression duty. Regulation 22 governs unsolicited communications more broadly, including the soft opt-in. Regulation 24 governs caller identification. PECR is the operational rulebook for the call itself.

UK-GDPR and the Data Protection Act 2018

UK-GDPR sits behind PECR and governs the personal data that makes the call possible. Article 6 requires a lawful basis (typically Legitimate Interest for B2B outbound). Article 14 requires transparency about how the data was obtained. Article 21 grants the recipient an absolute right to object to direct marketing. DPA 2018 attaches the enforcement teeth, including Personal Liability Notices under section 157.

Ofcom Persistent Misuse Statement of Policy

Ofcom regulates the pattern of dialler attempts — abandoned calls, silent calls, repeat dials — under section 128 of the Communications Act 2003. The published threshold for 'persistent misuse' is more than 3% abandoned-call rate measured per campaign per 24-hour period, and repeat dials to the same unanswered number are capped at two attempts per business day in best practice.

Consumer Protection from Unfair Trading Regulations 2008

CPUTR 2008 criminalises aggressive or misleading commercial practices, which includes cold calls that mislead about the purpose of the call, pretend to be from a regulator, or pressure the recipient into a decision. Less commonly invoked than PECR or UK-GDPR for outbound, but the criminal sanction is what makes it the floor of acceptable conduct.

TPS versus CTPS: the Sole Trader Trap.

The single most common PECR breach in the SaaS sector is treating every B2B prospect as an opt-out target. PECR Regulation 21 does not work that way. It splits subscribers into two classes, and the split is determined by the legal form of the line-holder, not the job title of the person answering.

Sole Traders and unincorporated Partnerships are Individual Subscribers. They sit on the TPS list and require prior opt-in consent before any marketing call, exactly the same way a residential consumer does. If an SDR dials a Sole Trader who is on the TPS, that single call is a breach — irrespective of how business-like the conversation feels, irrespective of how the contact details were obtained, irrespective of the size of the operator's pipeline.

Limited Companies, PLCs, and LLPs are Corporate Subscribers. They sit on the CTPS list (only if they have actively registered) and may be called under Legitimate Interest until they opt out. The two registers do not interoperate. A CTPS-only scrub does not cover Sole Traders. A TPS-only scrub does not cover Limited Companies.

The full classification table is maintained as part of the Pardoe Framework Protocol P-01 — including the entity types where classification is non-obvious (Charitable Incorporated Organisations, Scottish Partnerships of three or more, holding companies).

Source: PECR Regulation 21(2) and 21(4); ICO Direct Marketing Code of Practice 2018.

The soft opt-in (PECR Regulation 22(3)) — the existing-customer carve-out.

The soft opt-in is the most-misunderstood provision in PECR. Almost every sales team interprets it as "if they gave us the number, we can call." That is not what the regulation says. PECR Regulation 22(3) lays down a four-part test, and the exemption only applies if all four conditions are met simultaneously.

The contact details were obtained in the course of a sale or negotiation of a sale.
The marketing relates to similar products or services offered by the same operator.
The recipient was given a clear opportunity to opt out at the point the data was collected and at every subsequent marketing contact.
The recipient has not exercised that opt-out.

The most common failure is condition one. A free quote request, a webinar registration, a content download, an enquiry that did not result in a sale — none of these qualify, because no sale or negotiation of a sale ever occurred. The ICO has been explicit on this point in its Direct Marketing Code of Practice and in multiple enforcement notices.

Source: PECR Regulation 22(3); ICO Direct Marketing Code 2018, paragraphs 78–82.

The seven disclosures every UK cold call must make.

Combining PECR Regulation 24, UK-GDPR Article 14, and the ICO Direct Marketing Code, the operational checklist for the opening of a compliant call is seven items long. None of them are negotiable. All seven must occur before any pitch content begins.

01
The fact that it is a marketing or sales call
ICO Direct Marketing Code 2018
02
The caller's full name (or an identifiable equivalent)
PECR Regulation 24(1)(a)
03
The full legal name of the organisation on whose behalf the call is made
PECR Regulation 24(1)(b)
04
A contactable telephone number or address, on request
PECR Regulation 24(1)(c)
05
The purpose of the call
UK-GDPR Article 14(1)(c) — transparency
06
How to opt out of further marketing contact
UK-GDPR Article 21(4)
07
Notice that the call is being recorded, and the purpose of recording
UK-GDPR Article 14; ICO recording guidance

2026 enforcement reality — what the ICO actually fines for.

The Data Protection and Digital Information Act 2025 raised the penalty ceiling for the most serious PECR and UK-GDPR breaches to £17.5 million or 4% of global annual turnover. The pre-2024 ceiling was £500,000. In practice, the fines issued for cold-calling breaches sit between £75,000 and £200,000 and concentrate on a small number of patterns — all preventable.

Year	Operator	Fine	Reason
2024	H&L Business Consulting Ltd	£200,000	5.4 million unsolicited claims-management calls in 12 months
2024	Vanquis Bank Ltd	£75,000	Abandoned and silent calls breaching CTPS
2023	Smart Home Protection Ltd	£150,000	TPS breaches generating 117 individual complaints
2023	DialADeal Scotland Ltd	£150,000	TPS breaches and abandoned-call patterns

Two patterns dominate the enforcement record: TPS/CTPS breaches at scale, and abandoned-call rates that exceed the Ofcom 3% threshold. Properly-documented Legitimate Interest cold calls, with a current scrub log, a recorded identification disclosure, and an objection process that actually works, attract no enforcement action in the 2023-2024 record.

Audit-trail retention is what determines the size of the eventual fine envelope. ICO investigations typically arrive six to eighteen months after the original call. Operators with a 24-month retention window can evidence compliance retrospectively. Operators without it cannot, and the ICO treats audit-trail incompleteness as a substantive accountability failure under UK-GDPR Article 5(2).

Myths busted: six compliance errors UK sales teams make daily.

The folklore around UK cold calling is wrong in specific, predictable ways. Here are the six errors that appear in every compliance audit, with the regulatory reality next to each one.

Myth“B2B cold calling is always opt-out, so I never need TPS scrubbing.”

RealitySole Traders and unincorporated Partnerships are Individual Subscribers under PECR Regulation 21(4) and must be scrubbed against TPS. The opt-out rule only applies to Corporate Subscribers (Limited Co, PLC, LLP) and only via CTPS, not TPS.

Myth“If they gave me their number, I can call them forever.”

RealityOnly if the four-part soft opt-in test in PECR Regulation 22(3) is met: data obtained during a sale or negotiation, similar product or service, opt-out offered at every contact, and the recipient has not exercised it. Enquiries that did not result in a sale do not qualify.

Myth“I can call before 08:00 if I'm only leaving a voicemail.”

RealityPECR does not exempt voicemails from the marketing-call rules — the same disclosure, consent, and suppression obligations apply. An automated voicemail drop without prior opt-in is also caught by PECR Regulation 19 (automated calling systems).

Myth“Recording a UK business call requires consent from both parties.”

RealityEngland, Wales, Scotland, and Northern Ireland operate one-party consent for legitimate business recording under RIPA 2000 s.3(3). The UK-GDPR transparency obligation still requires disclosing that the call is recorded, but does not require the called party's affirmative consent.

Myth“I bought a list this morning — I can dial from it this afternoon.”

RealityUK-GDPR Article 14 obliges the operator to inform the data subject that their data has been obtained from a third party, within 30 days of obtaining the data or at the point of first contact, whichever is earlier. A 28-day TPS/CTPS scrub is also required before any dial. Same-day dialling from a freshly purchased list is rarely compliant.

Myth“Only big companies get fined for PECR breaches.”

RealityICO Monetary Penalty Notices in 2023-2024 hit SMEs under £5m turnover in more than half of cases. The fine ceiling is the same regardless of company size, and a Personal Liability Notice can attach to a director under DPA 2018 s.157 where the breach was authorised or contributed to by their conduct.

Where to go next

The standard

The Pardoe Framework, v1.0

Eight numbered protocols turning PECR Reg 21 into an operational checklist. The technical specification this pillar is a downstream application of.

The product

Try AP Sales Coach — free, 60 min/month forever

A real-time teleprompter that holds your identification disclosure, your soft opt-in qualification, and your objection handling — so every call is defensible by default.

Primary sources cited

Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) — legislation.gov.uk
UK General Data Protection Regulation; Data Protection Act 2018 — legislation.gov.uk
Data Protection and Digital Information Act 2025 — penalty ceiling uplift
ICO Direct Marketing Code of Practice 2018 (Information Commissioner's Office, ico.org.uk)
Ofcom Statement of Policy on Persistent Misuse — ofcom.org.uk
Communications Act 2003, section 128 — abandoned-call enforcement
ICO Monetary Penalty Notices, 2023–2024 — full register on ico.org.uk
Regulation of Investigatory Powers Act 2000, section 3(3) — one-party recording consent

Last updated: 14 May 2026 · Author: Alix Pardoe. This page is reference content, not legal advice. For advice on a specific compliance situation, instruct a solicitor registered with the Solicitors Regulation Authority.