Is it illegal to call TPS numbers? The rules, the exceptions, the penalties

The short answer: yes, with exceptions

Yes, it is illegal: an unsolicited live marketing call to a TPS or CTPS-registered number breaches regulation 21 of PECR, and the ICO can fine the caller up to £500,000 for serious breaches. The main exception is specific prior consent from that subscriber. Genuine service calls, market research, and debt collection on existing accounts are not marketing calls and are unaffected.

People who ask me this have usually just found TPS-registered numbers on a list they already called, or one they were about to. The two excuses that come up first, "the list was bought screened" and "it's a business number", are the ones to watch; neither holds.

The rule: regulation 21 in plain English

Regulation 21 of the Privacy and Electronic Communications Regulations 2003 prohibits unsolicited live marketing calls to any number registered with TPS or CTPS, unless the subscriber of that number has notified you that they consent to your calls. That is the whole rule. It binds a one-adviser firm working referrals as much as a dialler floor; there is no volume threshold and no small-business carve-out. If the call is live, promotes something, and was not invited, regulation 21 applies to it.

The registers are big. TPS holds around 28 million consumer numbers and CTPS around 3 million corporate ones. One timing detail matters: a registration becomes legally enforceable 28 days after the number joins the register, so a number added last Tuesday is not yet actionable. I would not build anything on that gap. For how PECR sits alongside UK GDPR more broadly, see PECR explained.

When is it legal to call a TPS number?

There are genuine exceptions, and there are excuses that sound like them.

Specific prior consent

If the subscriber has notified you that they consent to receiving your marketing calls, you can call them despite the registration. The word doing the work is "specific": consent from that subscriber, given to you, covering calls. A box the person ticked themselves, on your form, naming telephone marketing, is the right shape. A vague clause about "trusted partners" buried in someone else's privacy policy is not. Consent also ages, and an old opt-in is hard to defend. I have written up what counts, what fails, and how to record it in can you call a TPS number with consent.

Calls that are not direct marketing

Regulation 21 covers direct marketing calls. A genuine service call (your delivery is delayed, your renewal needs a decision), bona fide market research, or chasing a debt on an existing account is not marketing, and TPS registration does not prohibit it. The trap is the hybrid call. A "courtesy call" that ends in an upgrade pitch is a marketing call, and the friendly opening will not save it. If any part of the call sells, treat the whole call as marketing and screen it accordingly.

Claims management and pensions: stricter still

Two sectors run on tighter rules than the rest of us. Regulation 21A covers claims management calls and regulation 21B covers pension cold calls, and both are opt-in regimes (21B with narrow exceptions). Under those rules TPS status stops being the test; you need a recorded opt-in before any call, whether the number is registered or not. If you operate in either sector, TPS screening is only the start.

What is not an exception

"We bought the list and the seller said it was screened" is not an exception. The screening obligation is yours, and a supplier's assurance does not discharge it. "It's a B2B number" is not an exception either. Limited companies and other corporate bodies register on CTPS, and regulation 21 covers CTPS exactly as it covers TPS. Sole traders and some partnerships are treated as individual subscribers, so the builder or consultant you think of as a business may be sitting on the consumer register. The full TPS compliance guide walks through both registers in more detail.

What is the fine for calling a TPS number?

The ICO can issue monetary penalties of up to £500,000 for serious PECR breaches. Since December 2018 it can also fine company officers personally, up to £500,000 each, where the company's breach happened with their consent, connivance or neglect. Where that test is met, dissolving the company does not remove the personal exposure.

Fines are not the only instrument. The ICO issues enforcement notices ordering an organisation to stop, and breaching an enforcement notice is a criminal offence. I have collected the recent cases, the amounts, and what triggered each one in recent ICO fines and what triggered them.

What compliant teams actually do

1. Screen every number before it is dialled, not only at import.
2. Document consent at the point you collect it: the date, the source, and the wording the person saw.
3. Re-screen as registrations change. TPS is not static; people join it every day, and a number that was clean at import may not be clean at dial-time.

The DMA standard is that TPS reference data should be refreshed at least every 28 days. I treat that as the floor rather than the target.

This is the problem TPSClear exists for. It screens UK TPS and CTPS in real time inside HubSpot, writing a verdict back within seconds of a phone-number change (Safe to call, Do not call (TPS-listed), Do not call (CTPS-listed)), with a daily backfill sweep behind it. Register data licensing is completed during account activation, before your first screen. The mechanics are on how it works, alongside the compliance commitments we make. None of this moves the legal responsibility, which stays with the caller. It closes the gap between your last batch check and your next call.

One-line conclusion

Calling a TPS or CTPS-registered number with unsolicited live marketing is a PECR breach with a £500,000 ceiling; treat the registration as a hard stop unless you hold that subscriber's specific consent, and be able to prove the check happened before the dial.