Skip to content
a.
AP SALES COACH
ManifestoBlogPricing
← BLOGCOLD CALL PLAYBOOK4 May 20269 MIN READ

UK cold calling laws 2026 — PECR, GDPR, and the rules for B2B outbound

Cold calling is legal in the UK, but the rules around who you can call, when, and what records you need to keep are stricter than most reps realise. Practical version. Not legal advice.

Cold calling is legal in the UK. Most outbound is fine. But the rules around who you can call, when, and what records you need to keep are stricter than most reps realise — and the fines for getting it wrong start at £500,000 for serious cases.

This is the practical version. Not legal advice. If you're running a sales team that does 1,000+ dials a week, get a real lawyer. If you're a freelancer doing 50 a week, this post is enough to keep you on the right side of the line.

Updated: May 2026.

The two laws that matter

UK cold calling sits at the intersection of two regulations:

  1. PECR (Privacy and Electronic Communications Regulations 2003, amended) — covers HOW you can contact people and what consent you need.
  2. UK GDPR — covers WHAT data you can store about them and how.

PECR governs the call itself. GDPR governs what happens after. Both are enforced by the ICO (Information Commissioner's Office). Both have real teeth.

Who you can cold-call

The headline: B2B is mostly fine. B2C is mostly not.

Limited companies (Ltd, PLC) — fair game by default

You can cold-call any UK limited company without prior consent, as long as:

  • The number is NOT registered with the Corporate Telephone Preference Service (CTPS). Free check, takes 30 seconds.
  • You're calling for B2B purposes.
  • You stop calling immediately if they ask you to.

This covers about 95% of UK businesses. CTPS-registered numbers are a small minority but checking is mandatory.

Sole traders + partnerships — count as individuals

This is the trap. Sole traders and partnerships are legally treated as individuals under UK law. That means they need to NOT be on the regular Telephone Preference Service (TPS) — same register, but for personal numbers.

If you're cold-calling a list of "small UK businesses" without separating sole traders from limited companies, you're probably violating PECR on the sole traders. Most lead-gen agencies don't tell you this.

Consumers (B2C) — almost always need prior consent

Cold-calling consumers requires explicit prior consent or a "soft opt-in" (they were already a customer or actively requested information). Cold lists, scraped numbers, third-party data — almost always not allowed for B2C.

Don't do consumer cold-calling unless you've got proper consent infrastructure in place. The fines are not worth it.

When you can call

There's no legally mandated cutoff hour, but practical guidelines:

  • B2B: 9am-5pm Mon-Fri is safest. Calling outside business hours raises complaint risk even if technically legal.
  • B2C (with consent): 8am-9pm Mon-Sat is the industry standard. Sundays vary.
  • Bank holidays: avoid them. Complaints go up; conversion goes down.

The ICO publishes complaint data quarterly. Calls before 9am or after 6pm generate disproportionate complaint volume. Stay in business hours unless you've got a specific reason.

What you have to do every call

For every cold call, you must:

  1. Identify yourself and your company within the first few seconds.
  2. Provide a contact address if asked (not just the phone number).
  3. Stop calling that number if they tell you to.
  4. Keep a do-not-call (DNC) list of anyone who's asked you to stop, and check it before every dial.

The DNC list is the part most reps skip. If someone says "don't call me again" and you call them back six weeks later, that's a separate offence — even if they're a B2B contact.

What data you can keep (GDPR side)

Once a call connects, you start collecting personal data — even if it's just "I called this number, this person answered, they said this." UK GDPR governs all of it.

Headline rules:

  • Lawful basis: you need one of six lawful bases to process personal data. For B2B cold-calling, "legitimate interest" is the standard one — but you have to document the assessment.
  • Data minimisation: only collect what you need. "Notes from the call" is fine. "Background research dump including their kid's name from LinkedIn" is not.
  • Retention: define how long you'll keep the data. Most B2B sales orgs settle on 24-36 months for inactive leads, indefinitely for active prospects.
  • Subject access requests: if someone asks "what data do you have on me?" you have 30 days to respond. Have a process for this.
  • Data breach: if you have a breach, report it to the ICO within 72 hours. Yes, including a stolen laptop with prospect notes.

Most freelancers and small teams handle this with a CRM that tracks call notes + a clear retention policy in their privacy page. Don't overengineer it; do not skip it.

The £500k fines that aren't theoretical

The ICO has issued fines in the £100k-£500k range for:

  • Calling TPS-registered numbers (multiple lead-gen companies)
  • Calling without identifying themselves
  • Failing to honour DNC requests
  • Buying lists from data brokers and not checking the source

The fines are typically for repeat or systematic offences, not one-off mistakes. But "systematic" can mean as little as 50-100 violations across a dialer over a few months. If you're running a sales team, you can rack that up in a week without realising.

The honest read for solo cold-callers and small teams

If you're doing this solo or with a small team:

  1. Build your own list from public sources (Companies House, LinkedIn, Google Business) — don't buy.
  2. Check CTPS/TPS before every dial — there are tools that integrate this into your dialer.
  3. Keep a do-not-call list — if someone says stop, they're tagged forever.
  4. Stick to limited companies unless you've explicitly verified soft opt-in for sole traders.
  5. Have a one-page privacy policy explaining what you collect and why.
  6. Stay in business hours.

That covers 95% of the legal exposure for 5% of the work of doing it "properly." The remaining 5% only matters if you're scaling to enterprise volume — at which point you should have a real lawyer review your setup.

What this has to do with AP Sales Coach

Nothing directly. AP Sales Coach is a coaching tool, not a compliance tool. We don't dial for you, we don't manage your list, we don't process consent.

But: structured calling is harder when your script is in a doc you can't read. The post that prompted me to write this one was the "send me an email" rebuttal — when a prospect asks "how did you get my number," you need an honest, specific answer ready in five seconds. With AP Sales Coach that answer is on screen by the time they finish the question. With a Notion doc you wing it, and "we have a database" comes out of your mouth before your brain catches up.

Compliance isn't a feature. It's an operating discipline. The tools you use should make it easier to do the right thing, not harder.

— Alix Founder, APLeads

This post is general information, not legal advice. UK regulations change; consult a solicitor for specific compliance questions. Last updated May 2026.

READY TO TRY IT?

Stop freezing on the line that goes off-script.

7-day free trial. £0.00 today. £14.50/mo founding rate locked for life if you're one of the first 50.

APSALESCOACH

the earpiece for cold calls

Field notes — every fortnight

Product

HomePricingFoundingWaitlistFounderUpdatesScript builderDownloadRoadmapChangelogStatusSecurityManifestoAboutBlogAffiliatesPress kit

Contact

SupportBillingFeedbackAffiliatesPartnershipsPressPrivacy / GDPRSecurity disclosureLegal

Legal

Terms of ServicePrivacy PolicyData Processing AgreementAcceptable Use PolicyRefund PolicyCookie PolicyAffiliate Program TermsDMCA — Notice & TakedownSub-processorsYour dataExport your dataDelete your accountEmail preferences

Company

AP Leads Ltd
Founded 2024 by Alix Pardoe
Company No. 16178226
Unit 22 Ensign Business Centre, Westwood Way, Coventry, CV4 8JA

apleads.co ↗

© 2026 APLEADS LIMITED · BUILT IN THE UK

APLEADS / COACHv1.0