Staying within the law when marketing by phone

Home
TPS and the law
Stay legal

Making marketing calls legally may be more complicated than you might think.

It can be an expensive business if you don’t stay within the law too, not to mention the potential damage it can cause to your own or your client’s reputation and brand.

Companies or its directors not meeting their legal obligations can potentially be fined up to £500,000 by the Information Commissioner's Office (ICO). Monetary penalties have been issued for making repeated marketing calls to numbers listed on the Corporate / Telephone Preference Service (C/TPS) registers and ignoring people’s objections to those calls including:

Home Energy and Lifestyle Management Ltd – £200,000
Nationwide Energy Services Ltd – £125,000
We Claim U Gain Ltd – £100,000
MyIML – £80,000
Cold Call Elimination Ltd – £75,000
EMC Advisory Services Ltd – £70,000
Omega Marketing Services Ltd – £60,000
Assist Law – £30,000
IT Project Ltd – £40,000
Brighter Home Solutions Ltd – £50,000
MyHome Installations – £50,000
HPAS Ltd (trading as Safestyle UK) – £70,000
Laura Anderson Ltd (trading as Virgo Home Improvements) – £80,000
True Telecom Ltd – £85,000
Energy Saving Centre Ltd – £250,000

Approved Green Energy Solutions – £150,000
IAG Nationwide Ltd – £100,000
Our Vault Ltd – £70,000
AMS Marketing Ltd – £100,000
Oaklands Assist UK Ltd – £150,000
ACT Response Ltd – £140,000
Secure Home Systems Ltd – £80,000
DM Design Bedrooms Ltd – £160,000
Solartech North East Ltd – £90,000
Alistar Green Legal Services – £80,000
Avalon Direct Ltd – £80,000
Smart Home Protection Ltd – £90,000
Making it Easy Ltd – £160,000
Superior Style Home Improvements Ltd – £120,000

1. The Law

To understand your obligations fully, it’s a good idea to be aware of the two main pieces of legislation relating to making marketing phone calls and processing personal data.

The UK GDPR is the UK General Data Protection Regulation. It is a UK law which came into effect on 01 January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies (which is covered by the Data Protection Act 2018). It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context. See The ICO's UK GDPR guide for more details.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) sets out rules for sending marketing and advertising by electronic means, such as by telephone, fax, email, text and picture or video message, or by using automated calling systems.

PECR also covers use of cookies or similar technologies that track information about people viewing a website or other e-service; security of public electronic communications services; privacy of customers using communications networks or services including traffic and location data, itemised billing, line identification services (e.g. caller ID and call return) and directory listings. See The ICO's PECR guide for more details.

PECR have been updated a number of times. Recent changes were made in 2018, to introduce personal director liability for serious breaches and ban cold-calling of claims management services. Then in 2019 to ban cold-calling of pensions schemes in certain circumstances (see below) and to incorporate the UK GDPR definition of consent.

2. Making Marketing Phone Calls Legally

Live calls

The rules on live marketing calls are in regulation 21 of PECR. In short, you must not make unsolicited live marketing calls:

to anyone who has told you they don’t want your calls; or
to any number registered with the TPS or CTPS, unless the person has specifically consented to your calls – even if they are an existing customer.
for the purpose of claims management services, unless the person has specifically consented to your calls; or.
in relation to pension schemes unless you are a trustee or manager of a pension scheme or a firm authorised by the Financial Conduct Authority, and the person you are calling has specifically consented to your calls or your relationship with the individual meets strict criteria.

You must always say who is calling, allow your number (or an alternative contact number) to be displayed to the person receiving the call, and provide a contact address or freephone number if asked.

So if you’re making live calls you must:

Screen telephone numbers against the Telephone Preference Service register(s) before calling and every 28 days:
- Telephone Preference Service (TPS) – if you’re calling individuals, sole traders and/or partnerships.
- Corporate Telephone Preference Service (CTPS) – if you’re calling companies and corporate bodies (including Limited, PLC, Limited Liability Partnership, Scottish Partnership, government body, school, college and charity).
- Screen against both registers to be 100% safe.
- Use a full C/TPS licensee like 121prodata to ensure legal compliance.
Keep your own in-house do-not-call list of anyone who says they don’t want your calls. Screen lists that you call against your own do-not-call list – and do not call them.
Make sure that you do not disguise a marketing call as a market research call. This is known as ‘sugging’ (selling under the guise of research). If the call includes promotional material or collects data to use in future marketing, the call or message will be for direct marketing; you must say so and comply with the DPA and PECR direct marketing rules.

What are the rules on automated calls?

The rules on automated calls are in regulation 19 of PECR, and are stricter. You must not make an automated marketing call – that is, a call made by an automated dialling system that plays a recorded message – unless the person has specifically consented to receive this type of call from you. General consent for marketing, or even consent for live calls, is not enough – it must specifically cover automated calls.

All automated calls must include your name and a contact address or freephone number. You must also allow your number (or an alternative contact number) to be displayed to the person receiving the call.

For further information, see the ICO’s guidance on direct marketing.

3. Purchased Lists

If you are calling purchased or rented lists of prospect data you cannot simply rely on the data seller to have complied with the law. It is your responsibility to make sure that the data is legally compliant. You will need to:

check the origin and accuracy of the list.
check the legal basis for processing e.g. legitimate interest or consent.
check when and how consent was obtained, if relevent, and what it covers.
NOT use bought-in lists for texts, emails or recorded calls (unless you have proof of opt-in consent within last 6 months which specifically names or describes you).
screen against the TPS/CTPS.
tell people where you got their details and how they can exercise their rights.

One way to ensure that the data that you’re calling complies with the legislation is to use data providers that are Direct Marketing Association (DMA) members. See www.dma.org.uk

4, Exploding a Myth

Many people think that it is not necessary to screen against TPS or CTPS if the number being called is an existing customer:

An organisation might want to continue calling an existing customer who has registered with the TPS even though they have not specifically consented, because it is confident in light of the past relationship that they would not object. However, calls in these circumstances are in breach of PECR and could result in enforcement action. Direct Marketing, ICO

Even if you consider an individual or company to be a customer, you still need GDPR-level consent to make marketing calls them if they are TPS or CTPS-registered.

What do I do next?