There is a legal route to call a TPS-registered number for marketing. It exists, it is written into PECR, and it is narrower than most sales teams assume. If you read it as a green light to dial whoever you like as long as a tickbox somewhere went green, you will end up on the wrong side of an ICO investigation. This article walks through what the exception actually says, what counts as evidence, and how to keep records that hold up.

The PECR exception: specific prior consent of the subscriber

Regulation 21 of the Privacy and Electronic Communications Regulations prohibits unsolicited live marketing calls to anyone registered with the TPS, with one exception: where the subscriber has previously notified the caller that they consent to such calls. The ICO interprets that as specific, prior, freely given consent from the person whose line it is. The wording is short and the bar is high. See the ICO Guide to PECR for the regulator's own framing.

See also our broader explainer on PECR for how the rules sit across calls, texts, and email.

What "specific" means

Specific consent has to be tied to the type of communication you are about to make. A subscriber consenting to "marketing" in general is not the same as consenting to live phone calls. Consent to receive a newsletter is not consent to be cold-called.

The ICO's guidance pushes you to be precise about three things:

  • The channel. Live telephone calls, named as such.
  • The caller. Your organisation, named at the point of consent. "Us and our partners" is not naming the caller.
  • The topic, where relevant. If consent was given for calls about pensions, do not phone them about solar panels.

What "prior" means

Prior means the consent was given before the call, by the subscriber, and that you can show when. In practice that has three sub-tests.

  • Granular. A separate, opt-in action for phone marketing. Not bundled into the main "I agree to the terms" tickbox.
  • Recent enough to still be meaningful. PECR does not set a fixed shelf life, but stale consent is a routine ICO criticism. If someone ticked a box four years ago and you have not spoken to them since, treat it as expired.
  • Evidenced. You can produce, on request, the timestamp, the source page or form, and the exact wording the subscriber saw.

What consent is not

The following are not consent for the purposes of Regulation 21:

  • Failure to opt out. Pre-ticked boxes have not been valid consent since GDPR took effect.
  • A clause buried in lengthy terms and conditions. Consent must be a positive, informed action.
  • Consent gathered by a third party for "carefully selected partners" where you, the caller, were not named. Brokered or bought consent almost never survives scrutiny.
  • Existing customer relationship by itself. Being a customer is not the same as consenting to live marketing calls.

The "soft opt-in" and why it does not rescue your call list

The soft opt-in is a separate exception that lets you market to existing customers without explicit consent, but it applies to electronic mail, meaning email and SMS. It does not cover live telephone calls. A team that has been told "we're fine, we have soft opt-in" is usually working from a misunderstanding. For live-call marketing to a TPS number, you need specific prior consent. Full stop.

How to evidence consent

Treat consent as a record, not a flag. For each consenting contact you should be able to retrieve:

  • The date and time the consent was captured.
  • The source: the form, page URL, campaign, or recorded call where it was given.
  • The channel the consent covers (live calls, in this case).
  • The exact wording the subscriber agreed to, archived, not the current version of the form.
  • Who within your organisation was named as the caller.

If any one of those is missing, you do not have defensible consent. You have a story.

Practical workflow: hide versus flag

Most TPS tooling takes a binary view: a number is either suppressed or it is not. That is the wrong shape for the consent exception. Reps need to see that a contact is TPS-registered and that valid consent exists, so the decision to dial is deliberate, not accidental.

TPSClear is built around that workflow. We flag the listing on the contact record while preserving the consent record alongside it, so whoever picks up the dialler sees the full picture before the call starts. That includes the consent timestamp, source, and wording, not just a green dot. Our CRM integration surfaces this in HubSpot, and the same data is available through the API for custom dialler builds.

What goes wrong in real cases

  • Stale consent. A tickbox from 2021 used to justify a 2026 call. The subscriber has no memory of it, complains, and the ICO agrees with them.
  • Transferred consent. Company A acquires Company B's customer list and starts calling. The original consent named Company B. It does not transfer.
  • "We bought a list." Purchased lists almost never carry valid Regulation 21 consent. The ICO has fined repeatedly on this exact pattern, and a list vendor's assurance is not a defence.
  • Bundled consent. One tickbox for terms, privacy, and marketing. Not granular, therefore not valid.
If your only evidence of consent is a row in a CSV from a list broker, assume the call is unlawful and do not make it. See the pattern of past enforcement in our ICO PECR fines round-up.

Auditing your consent records before the ICO does

A useful exercise: pick ten contacts your team plans to call this week who are TPS-registered and you believe you have consent for. For each, try to produce the timestamp, the source, the channel, and the exact wording within five minutes. If you cannot, your records are not audit-ready, and an ICO information notice will land harder than this exercise. Tighten up the capture process, then re-run the check on a fresh sample. Our TPS compliance guide covers the wider control set this fits into.

The practical close

The consent exception is real, narrow, and worth using when you have genuinely earned it. Treat it as a paperwork discipline, not a loophole. Capture consent in a form that names you, names the channel, and stands on its own; store the timestamp and the exact wording shown; refresh it when it goes stale; and put the evidence in front of the rep before they dial, not in a spreadsheet someone has to dig out after the complaint.