If you make outbound calls to UK numbers, TPS compliance is not optional and it is not someone else's problem. The rules are older than most of the people enforcing them, the ICO publishes its monetary penalty notices in plain view, and the cost of getting it wrong has a hard ceiling that is high enough to end a small sales operation. This guide is the version I wish I had when I first had to explain the regime to a board: what the law actually says, who it applies to, where teams trip up, and how to operationalise compliance so it survives a staff change or an audit.
What TPS and CTPS actually are
The Telephone Preference Service (TPS) is the UK's official register of individual consumer telephone numbers, including mobile numbers, whose subscribers have indicated that they do not want to receive unsolicited live sales and marketing calls. The Corporate Telephone Preference Service (CTPS) is the equivalent register for corporate subscribers, covering registered company numbers and certain partnership and public-body lines. Both registers are operated under contract from the Information Commissioner's Office (ICO), and both are statutory: the obligation to screen against them sits in regulation, not in a code of practice.
The two registers are easy to confuse, and they behave differently in practice. TPS is enormous, opt-out by individual subscriber, and most consumer numbers a sales team buys from a list broker will already be on it. CTPS is smaller, registered by the corporate subscriber rather than the individual employee, and matters most when you are calling switchboards and direct dial numbers at limited companies, LLPs, Scottish partnerships, and public bodies. We cover the differences at length in our companion piece on TPS vs CTPS, and the specifically B2B picture in the B2B CTPS rules explained.
The public-facing site is tpsonline.org.uk. That is where consumers register their own numbers and where firms can buy a licence to access the data. The licence is what we hold at TPSClear under our DMA arrangement, and it is what allows a screening service to exist at all.
The legal basis: PECR, ICO, and what "unsolicited" means
The statute in question is the Privacy and Electronic Communications (EC Directive) Regulations 2003, usually shortened to PECR. Regulations 21 and 21A are the relevant provisions for live calls. Regulation 21 prohibits unsolicited calls for direct marketing purposes to individual subscribers who have either told the caller directly that they object or whose number is registered with TPS. Regulation 21A extends similar protection to corporate subscribers via CTPS. The ICO's full guidance is published at the guide to PECR, and we walk through the regulation language in detail in PECR explained.
The word that does the heavy lifting in PECR is unsolicited. A call is unsolicited if the recipient has not invited it. Inviting it means more than being a customer, more than having handed over a business card at a trade show, and more than having clicked something on a website. It means the recipient has, in a way the caller can later evidence, asked to be called for marketing purposes by that organisation. If you cannot point to that invitation, the call is unsolicited, and if the number is on TPS or CTPS, you are in breach unless a specific exception applies.
"Direct marketing" is also defined more broadly than people expect. It is not limited to sales. The ICO treats any communication of advertising or marketing material directed to particular individuals as direct marketing, and that includes promotional fundraising, promotion of aims and ideals (so political and charitable calling is in scope), market research that bundles in a sales pitch, and customer-satisfaction surveys that nudge toward a renewal. If your call has a promotional purpose, however lightly framed, treat it as direct marketing.
The ICO is the regulator. It investigates complaints, issues information notices, accepts undertakings, and serves monetary penalty notices. The civil monetary penalty cap under PECR is £500,000. That is a real number, set by Parliament, and it is the figure you should plan around when you size the risk. Penalty notices are published on the ICO website, including the underlying evidence, and they are a useful read for anyone trying to brief a sales team on what actually attracts enforcement.
Who has to comply
The obligation to screen against TPS and CTPS attaches to whoever is making the call, or whoever is instigating it. That distinction matters because it pulls in more parties than people assume.
- In-house sales and customer success teams calling out from a CRM are plainly in scope. The data controller is the organisation, the caller is its employee, and PECR applies in full.
- Outsourced call centres and BPOs are also in scope as the entity actually making the call. The instructing client is jointly exposed because they instigated the campaign and supplied the data. The ICO has historically pursued both.
- Lead-generation agencies that dial on behalf of a client are in the same position as a call centre. If you are the agency, your client's screening standard is your screening standard, and you cannot rely on a contractual warranty to shield you if the data is dirty.
- B2B-only sales teams are in scope. There is a stubborn myth that PECR is a consumer regime. Regulation 21A and the CTPS register exist precisely because corporate subscribers are protected too, and the ICO has fined B2B operations.
- Charities, political parties, and membership bodies are in scope when their calls have a promotional purpose. Fundraising calls count. Calls about conferences and events count if the call promotes attendance or registration.
- Marketplaces and platforms that pass leads to third parties have to think about consent capture and data sharing carefully. The platform may not make the call, but if it sold or shared the lead and represented that consent existed, it can be treated as having instigated the call.
The practical implication is that "we use a third party" is not a defence. If anything, it doubles your audit surface, because you now have to evidence both your own controls and the controls of every supplier who dials on your behalf.
The rules in plain English
Strip away the regulation language and the rules for live marketing calls reduce to a small set of statements you can hand to a sales floor.
- You may not make an unsolicited live marketing call to a number that is registered on TPS, unless the subscriber has specifically told you, in advance, that they are happy to be called by your organisation for that purpose.
- You may not make an unsolicited live marketing call to a number that is registered on CTPS, unless the corporate subscriber has specifically told you the same thing.
- You must not call any number, whether or not it is on TPS or CTPS, if the subscriber has previously asked you to stop calling them. That request from the subscriber takes priority over everything else, including any prior consent.
- Internal suppression lists exist independently of TPS and CTPS. A subscriber asking your firm to stop calling them does not register them on TPS, but it does bind your firm permanently. The ICO has fined firms for ignoring their own internal opt-outs even when TPS itself was screened correctly.
- You may screen, then call, only within a reasonable window. The ICO's guidance, and the DMA's, treats 28 days as the longest defensible interval between screening and dialling for most operations. Many firms now screen continuously alongside their CRM, which sidesteps the question. We discuss timing in how often you should check TPS.
The shortcut: if you cannot demonstrate, with a record, that this specific person at this specific organisation asked your specific organisation to call them, treat the call as unsolicited and screen the number. If it is on TPS or CTPS, do not dial.
The rules above apply to live human-to-human calls. Automated dialling and recorded messages have their own, stricter regime under regulation 19, which requires prior specific consent regardless of TPS status. If your stack uses any kind of voice broadcast, do not assume the TPS screening process protects you; it does not.
A point worth labouring, because it is where most teams misread the regime: the obligation runs to the subscriber, not to the person who picks up the phone. For a consumer line, the subscriber is whoever pays the bill. For a business line, the subscriber is the corporate entity. That means an employee answering a CTPS-registered switchboard cannot give you consent to ignore CTPS for the company; only the subscriber can. It also means a household where one person registered the line on TPS protects every other adult in that household. Compliance is a property of the line, not of the speaker.
The consent exception, properly explained
The single legitimate route to calling a TPS-registered number is prior, specific, recorded consent from that subscriber to receive marketing calls from your organisation. This exception is narrow on purpose and the ICO interprets it strictly. We have written a longer piece on calling a TPS-registered number with consent, but the headline rules are these.
Consent must be specific to your organisation. Generic consent given to a comparison site, a lead generator, or a "trusted partners" check box does not ordinarily transfer to you unless the original capture text named your organisation clearly enough that a reasonable person would have understood they were consenting to receive your calls. Most third-party consent fails this test on inspection.
Consent must be specific to the channel. Consent to receive emails is not consent to receive calls. Consent to be called about an existing account is not consent to receive marketing calls about a new product line. The capture wording, the privacy notice, and the channel checkbox all have to line up.
Consent must be evidenced. The ICO does not accept "we are sure they agreed". You need the timestamp, the source, the wording the subscriber saw, and ideally the IP address or other identifier. If a complaint comes in two years later, that audit record is what closes the file.
Consent can be withdrawn at any time, by any reasonable means. If a recipient asks you to stop calling, on the call, in an email, via a web form, through a third party, the request binds you immediately. You should propagate it across every system that holds that number, not just the one where the request was received.
ICO enforcement: what gets fined and what doesn't
The most useful thing you can do as a compliance owner is read the ICO's published enforcement notices for PECR. They are short, factual, and the patterns repeat. We track the patterns in our analysis of ICO PECR fines, but the recurring themes are these.
The ICO has repeatedly fined firms that did not screen against TPS at all, sometimes because the team did not know the obligation existed, more often because a new campaign or a new dataset bypassed an established screening process. Firms that buy leads and dial them within hours, without TPS screening in between, are a standing target.
The ICO has fined firms that screened, but stale. A list cleaned six months ago and dialled today does not satisfy the duty, because TPS registrations made in the intervening period were not respected. The DMA's 28-day guidance is the defensible ceiling; many enforcement cases involve gaps measured in months.
The ICO has fined firms that relied on third-party consent that turned out, on inspection, to be opt-outs from a comparison site or a "yes we will share with partners" tickbox that named no one specifically. The lesson here is that buying consented data does not transfer the compliance burden to the seller; it stays with the caller.
The ICO has fined firms that ignored their own suppression lists. This is the most embarrassing pattern because the data needed to comply already lived inside the firm. People who had asked to be left alone got called again, sometimes by a different team or after a CRM migration.
The ICO tends not to fine firms that can produce, on demand, a clean screening log, a credible consent record for the small number of TPS-registered numbers they did call, and evidence that internal opt-outs are honoured. Those firms get information notices, not penalties.
It is also worth noting what triggers an investigation in the first place. The ICO reacts to volume. A small number of complaints rarely lights anything up; a pattern across multiple complainants, often surfaced through the 7726 spam-text reporting route or via complaints aggregated by TPS itself, is what brings a firm to the regulator's desk. Firms that respond well to the first complaint, by suppressing the number, investigating the source, and writing back to the complainant, almost always close the matter at that stage. Firms that ignore complaints, or whose contact-centre scripts argue with the recipient, escalate themselves into formal action.
Risk anchor: the civil monetary penalty cap under PECR is £500,000. The ICO can issue enforcement notices alongside or instead of a fine, and individual directors and senior managers can be personally liable in narrow circumstances under the 2018 amendments. Treat the fine cap as the upper bound, not the typical outcome, and treat the reputational damage of a published penalty notice as the more likely cost.
Operationalising compliance: screening, exceptions, audit trail
Compliance is an operational problem dressed up as a legal one. The legal regime is narrow and stable; the failure mode is almost always operational. A workable compliance operation has three components.
Screening
Every number you intend to dial for a marketing purpose has to be checked against TPS, and if you call corporate subscribers, against CTPS, before the call goes out. The check has to be recent. If your stack screens at the moment of dialling, the question of recency disappears. If your stack screens overnight or weekly, you need to be confident the cadence is short enough to defend, and you need a kill-switch for new entries that get registered between screens.
Exceptions and consent
Numbers on TPS or CTPS that you intend to dial under a consent exception need an exception record attached to them, not a free-text note. The record should capture the source (campaign, form, recording), the wording shown to the subscriber, the timestamp, and the channel scope. If your CRM cannot store this structurally, you will lose it the first time someone re-imports a list.
Audit trail
When a complaint reaches the ICO, the only thing that matters is what you can produce within the response window. That is usually 28 days. The artefacts you need are: the screening log for the date the call was made, the source of the lead, any consent record relied on, the call disposition, and the suppression status of the number after the call. If any of those are missing, the firm is exposed.
| Control | Minimum acceptable | What we do at TPSClear |
|---|---|---|
| TPS/CTPS screening cadence | Every 28 days, before any campaign | Continuous, on every relevant CRM record change |
| Consent record format | Source, wording, timestamp, channel | Structured exception record per number, queryable, exportable |
| Internal suppression | Honoured across all dialling systems | Propagated to every property and channel field on the contact |
| Audit response | Reproducible within 28 days | Per-number history persisted, retrievable in seconds |
Continuous CRM-side scrubbing vs lookup-time scrubbing
The most consequential decision in the compliance stack is where the screening lives. The two architectures are very different in their failure modes.
Lookup-time scrubbing means a list is exported from the CRM, sent to a screening provider, returned cleaned, and dialled. This is how the industry worked for twenty years. It is defensible if you do it shortly before the call and you can prove you did. It fails when the cleaned list ages, when a salesperson dials from the CRM directly because the cleaned list is too old, when a re-import overwrites the cleaned flag, and when an integration drops the suppression field on its way through.
Continuous CRM-side scrubbing means the TPS and CTPS status of every relevant number lives as a field on the contact or company record inside the CRM, and is kept in sync. The dialler reads the CRM. There is no list, no export, no second copy to drift out of date. When a number is added, it is screened. When a registration changes, the field updates. The compliance posture is the state of the database, not the state of a file someone exported last week.
We built TPSClear's CRM integrations on the second model because the failure modes of the first are exactly the ones the ICO has fined firms for. Our HubSpot integration writes TPS and CTPS status to per-phone-property fields on the contact and company, refreshes on schedule, and propagates internal suppressions automatically. The same approach is being rolled out to Salesforce, Dynamics 365, Pipedrive, Zoho, and Capsule. If you would rather wire up screening yourself, the same register lives behind our REST API.
Lookup-time screening is still the right answer for one-off campaigns from agency-owned lists. For an ongoing in-house sales operation calling its own CRM, continuous CRM-side scrubbing is the architecture that actually survives a staff change, a CRM migration, and an ICO enquiry.
Quick-reference checklist
- You hold a TPS licence, or you use a DMA-licensed provider that does.
- Every number you dial for a marketing purpose is screened against TPS, and against CTPS if it might be a corporate subscriber, before the call.
- The screening is either continuous or no older than 28 days at the time of the call.
- For any TPS or CTPS number you intend to call under consent, you hold a structured exception record covering source, wording, timestamp, and channel scope.
- Internal opt-outs propagate immediately across every dialling system and survive imports, exports, and CRM migrations.
- Automated dialling and recorded messages are governed separately under regulation 19 and require prior specific consent regardless of TPS status.
- You can produce, within 28 days of an ICO request, the screening log, the lead source, any consent record relied on, the call disposition, and the post-call suppression status of any number you called.
- Outsourced callers and lead suppliers are contracted to the same standard, and you spot-check that they meet it.
- Charities, political and membership calling are treated as direct marketing when the call has any promotional purpose.
- Senior management has signed off on the approach, in writing, with a review date.
If you would like to see what continuous CRM-side scrubbing looks like in practice, install TPSClear on a HubSpot account and watch the per-phone status fields populate. The free tier covers most small operations end-to-end, and the paid tiers exist for volume and additional CRMs.
PECR is not a complicated regime, but it is an unforgiving one. Firms that get fined almost never get fined for misreading the law. They get fined for losing track of their own data.