If you only read the headlines, you would be forgiven for thinking the ICO rarely acts on nuisance calls. The reality is the opposite. The Information Commissioner's Office has been issuing monetary penalties under the Privacy and Electronic Communications Regulations (PECR) for more than a decade, and the pace has not slowed. The full register is public, updated continuously, and surprisingly readable. If you run a UK calling operation, it is the single most useful document you can study, because it shows in plain language what the regulator considers unacceptable and what it considers reasonable.
This article does not name specific companies or quote exact penalty amounts. Numbers shift on appeal, names change, and the lessons are in the patterns rather than the line items. If you want the cases themselves, the official enforcement register is linked at the bottom of this page. What follows is a guide to the recurring themes the ICO returns to year after year, and what those themes mean for any organisation that picks up a phone with a marketing intent.
The legal cap on PECR penalties
PECR monetary penalties are capped at £500,000. That ceiling sits in the parent legislation rather than in PECR itself, and it has remained the headline figure through every recent enforcement cycle. It is worth understanding the history briefly, because it is often misreported. The cap was tightened, then settled, under the Data Protection Act 2018 framework, and the same Act re-anchored the ICO's power to fine PECR breaches at that level. UK GDPR penalties run considerably higher, into the tens of millions, but those higher caps only apply when the conduct is also a breach of UK GDPR. A pure PECR breach (an unsolicited marketing call to a TPS-listed number, for instance) sits under the £500k ceiling.
That cap is not a target. Most penalties land well below it. But £500k is a real number, and the ICO has applied it at the upper end of the range when the volume and recklessness of the conduct warrant it. Smaller operators who assume they are too low-profile to attract attention have been fined into insolvency on facts that, on paper, looked routine.
Pattern 1: high-volume unsolicited calls to TPS-listed numbers
The most common factual basis for a PECR penalty is the simplest one. A company runs an outbound dialler, the dialler hits TPS-listed numbers in volume, the recipients complain, and the ICO investigates. Regulation 21 of PECR is unambiguous on this: you cannot make unsolicited direct marketing calls to a subscriber whose number is on the TPS register, unless that subscriber has notified you specifically that they do not object to such calls from you.
The ICO does not need to prove harm. It does not need to count every call. A sample of complaints, a representative dataset, and evidence that TPS screening was not applied (or was applied superficially) is usually enough. Penalties in this category scale with volume, repeat conduct, and how dismissive the operator was when challenged. For the operator-side perspective on how often you should be screening, see how often you should check the TPS.
Pattern 2: ignoring opt-outs and failing to maintain a do-not-call list
PECR places a separate, standalone duty on callers to honour opt-out requests. Even if a number is not on the TPS, once the called party tells you to stop, you must stop. The ICO repeatedly fines organisations who treat opt-outs as a suggestion rather than an instruction. Common factual patterns include:
- Opt-out requests captured by agents but never written back to the dialler
- Internal do-not-call lists that exist on paper but are not enforced at dial time
- Suppression files that reset when CRM data is reimported from a list broker
- Recycled leads where the previous opt-out is silently overwritten
The pattern is technical as much as cultural. An organisation that genuinely intends to honour opt-outs but lets them leak through a poorly designed pipeline is, from the regulator's perspective, in the same position as one that ignores them deliberately.
Pattern 3: lead-generation chains where the caller had no direct consent
This is the pattern that catches out otherwise compliant operators. A company buys leads from an aggregator, who bought them from a publisher, who collected them through a survey or a competition with vague consent language. The end caller relies on a chain of consent that, when the ICO traces it, falls apart at the publisher tier. Either the original consent was not specific enough to cover the eventual caller, or the consent never named the caller at all, or the privacy notice was so generic that it could not constitute valid consent under PECR or UK GDPR.
The ICO has been clear and consistent: the calling party is responsible for the legality of the call. A contract with a lead vendor that says "all leads are consented" does not transfer that responsibility. If you cannot reproduce the actual consent record, name the data controller who collected it, and show that the consent was specific enough to cover your call, you are exposed. For the underlying rules on consent and TPS, see calling a TPS-listed number with consent.
Pattern 4: misleading caller-ID or withheld numbers
PECR requires that, for direct marketing calls, the caller either presents a valid caller-ID that the recipient can call back, or provides a contact number during the call. Withholding the number, spoofing it, or presenting an unmonitored number that goes nowhere is a separate breach. The ICO treats this seriously because it directly impedes the recipient's ability to complain or to opt out.
Penalties in this category are often combined with breaches under Patterns 1 or 2, because the same operators who ignore TPS tend to also obscure their identity. But the breach stands on its own. A perfectly TPS-screened campaign that runs with a withheld CLI is still in breach.
Pattern 5: automated calls without specific consent
Automated marketing calls (recorded messages, predictive systems that play a prompt before connecting an agent, broadcast voice campaigns) sit under a stricter regime than live operator calls. Regulation 19 of PECR requires specific, prior consent from the recipient for automated marketing calls, full stop. TPS status is not the test. A general marketing opt-in is not the test. The recipient must have agreed specifically to receive automated calls.
The ICO has fined operators heavily for running automated campaigns under generic consent language. The justification often given (that the recipient ticked a box somewhere) does not survive scrutiny once the regulator looks at the wording. If you are running an automated dialler at any volume, your consent capture process deserves a dedicated legal review, separate from the rest of your marketing consent flow.
What the ICO reduces or does not contest
Reading the register from the other direction is also instructive. Some organisations are fined and some are not, on similar-looking facts. The difference is usually visible in the decision notice. Operators who cooperate early, produce a clean audit trail, demonstrate a proportionate suppression process, and act on complaints quickly tend to attract reduced penalties or enforcement notices rather than fines. Operators who stonewall, delete records, or claim ignorance of obligations they were already subject to tend to attract the upper end of the range.
The audit trail is doing most of the work here. An organisation that can produce a screening log, a suppression history, a consent record, and a complaint response timeline is in a fundamentally different posture from one that cannot. That posture often determines whether the matter is closed with a warning or published as a penalty.
Director liability is real
Since 2018, the ICO has had the power to fine company directors personally where the breach was committed with their consent or connivance, or was attributable to their neglect. The cap on personal director penalties is £500,000, the same as the corporate cap, and the two penalties can run together. The regulator does not use this power constantly, but it has used it, and it is most often deployed against directors of phoenix companies (entities that dissolve and re-emerge to escape corporate fines).
For directors of legitimate operations, the practical implication is that signing off a marketing strategy without understanding its compliance basis is not just a corporate risk. It is a personal one.
Practical lessons
- Screen continuously, not seasonally. The TPS register changes daily. A list cleaned at the start of a campaign is dirty by the end of it.
- Keep the screening log. Record the timestamp, the dataset, the register version, and the suppression action. Do this automatically rather than manually.
- Honour opt-outs at the dialler, not just the CRM. Make sure opt-outs cannot be silently overwritten by reimport.
- Audit your lead chain. If you buy leads, periodically request the original consent record for a sample. If the vendor cannot produce it, treat that as a failure of the whole pipeline.
- Treat automated calls as a different product. The consent required is specific and narrow. Do not assume your general consent flow covers it.
- Present a real CLI. A monitored number that the recipient can ring back is part of the legal obligation, not a courtesy.
For the broader regulatory context, see our explainer on PECR and the TPS compliance guide. For how TPSClear handles ongoing screening inside HubSpot and other CRMs, see CRM integrations; for the API, see developers.
Where to read the actual cases
The ICO publishes its enforcement actions, including PECR penalty notices, monetary penalty notices, enforcement notices, and prosecutions, on its public register. Each entry includes the decision notice, which sets out the facts the regulator relied on and the reasoning behind the penalty. For anyone responsible for telephone marketing compliance, reading a few decision notices in full is more useful than any summary, including this one.
The register is here: ico.org.uk/action-weve-taken/enforcement. Filter by sector, by date, or by the type of action. The patterns described above will repeat in front of you within a few entries.