Legal guide · UK· UK

Is AI cold calling legal in the UK?
Yes — when run compliantly.

AI cold calling is legal in the UK when conducted in compliance with PECR, GDPR, the Telephone Preference Service and ICO guidance. Here is the full legal breakdown — PECR, TPS/CTPS, consent rules, AI-specific disclosure, B2B vs B2C, ICO enforcement examples, penalties, and what you must have in place before dialling.

Built for: UK B2B sales leaders, COOs and compliance officers evaluating AI outbound calling in 2026. Not legal advice.

Book a Friction Audit → Run the Friction Finder

Compliance & standards

PECRTPSCTPSGDPRICOTwo-party-consent recording

Integrates with

ICO guidanceTPS APICTPS APITwilioVapiElevenLabs

Proven

The SERP content gap on AI cold-call legality identified in our research. This page fills it. Written by an agency that runs PECR-compliant AI outbound for UK clients.

The short answer

AI cold calling is legal in the UK. The Information Commissioner's Office (ICO) — the UK regulator — applies the same rules to AI-driven calls as to human-driven calls. There is no AI exemption and no AI ban. The compliance bar is identical: you must screen against TPS/CTPS, honour opt-outs, identify yourself and your purpose at call start, manage consent under GDPR, and maintain accurate records.

What follows is the full breakdown of each compliance pillar, plus the specific things you must additionally do when the caller is AI rather than human.

This guide is for orientation only — it is not legal advice. For any specific deployment, consult a UK-qualified solicitor specialising in data protection.

The two regulations that matter

PECR — Privacy and Electronic Communications Regulations 2003

PECR is the UK regulation that governs direct marketing by electronic communication — phone, email, SMS, fax. It is the primary regulation applicable to AI cold calling. PECR has been amended several times since 2003; the current consolidated version is enforced by the ICO. PECR distinguishes between consumer and business calls, regulates use of automated calling systems, and sets the rules for the Telephone Preference Service registers.

UK GDPR — General Data Protection Regulation (as retained in UK law)

Post-Brexit, the UK retained GDPR substantially intact as "UK GDPR", administered by the ICO. UK GDPR applies whenever personal data is processed — which includes any AI cold call that uses a person's name, phone number, or any other identifier. GDPR provides the lawful-basis framework (consent, legitimate interests, contract, etc.) and the data-subject rights (access, deletion, objection) that overlay PECR.

The two regulations work together. PECR governs the act of communication; GDPR governs the personal data inside it. An AI cold-calling campaign must comply with both simultaneously.

TPS and CTPS — the opt-out registers

The Telephone Preference Service (TPS) is the statutory consumer opt-out register. The Corporate TPS (CTPS) is the business equivalent. Any UK number can be registered for free; registration signals that the holder does not wish to receive unsolicited marketing calls.

Under PECR, calling a TPS-registered consumer number without specific opt-in consent is unlawful direct marketing. Calling a CTPS-registered business number without specific opt-in is similarly unlawful. The TPS API allows automated batch screening; reputable AI cold-calling deployments screen every dialled number against TPS and CTPS before the call connects, with daily refresh of the suppression list.

Consent — when do you need it?

Consent rules in UK direct marketing are layered. The simplified picture:

Consumer calls (B2C). Require prior opt-in consent if the number is on TPS, or if the call is wholly automated (a recorded message without a live operator). For live AI agents that can respond to the caller, the consent requirement matches that of a human caller — opt-in for TPS-registered numbers; not required for non-registered numbers, but the caller must respect any in-call opt-out signal.

Business calls (B2B). Permitted to non-CTPS-registered business numbers without prior opt-in (the "soft opt-out" position). Must still honour any individual opt-out signalled during or after the call.

Existing customer ("soft opt-in"). Calling existing customers about products or services similar to those they have already purchased is permitted under PECR, provided they were given a clear opportunity to opt out at point of collection and on every subsequent contact.

AI-specific obligations

Beyond the general PECR/GDPR framework, AI cold-calling deployments should additionally:

Disclose AI status at call start. While not yet an explicit UK statutory requirement (as of May 2026), the ICO has signalled that transparency about automated systems is increasingly expected, and proposed regulatory updates favour mandatory disclosure. Disclosure is also the ethical norm. "Hi, I am the AI assistant for Acme Co" at the start of every call.

Record with two-party consent. AI calls should be recorded for compliance and quality purposes. UK consent law follows a "one-party" model in some interpretations, but best practice — and the model that protects against challenges — is two-party consent: explicitly stating at call start that the call is being recorded and giving the caller the option to opt out of recording.

Maintain a suppression list. Anyone who says "do not call me again" must be added to your suppression list within a reasonable timeframe (best practice: same day) and screened against on every subsequent campaign. The ICO investigates persistent non-suppression aggressively.

Identify the caller and purpose. PECR requires the caller to identify the organisation on whose behalf the call is made and the purpose of the call. AI calls must do this in the same way human calls would.

Document the lawful basis under GDPR. Pick the lawful basis (consent or legitimate interests, in most outbound cases) and document it in your record of processing activities. Legitimate interests requires a balancing test that you must be able to evidence on request.

ICO enforcement — examples and trends

The ICO publishes monetary penalty notices on its website. Recent PECR enforcement has trended towards larger fines for systematic non-compliance:

Pattern 1 — no TPS screening. Companies dialling without TPS suppression have been fined in the £100,000-£300,000 range, especially when the volume of unsolicited calls is high and consumer complaints have been logged.

Pattern 2 — persistent non-suppression. Continuing to call numbers after opt-out attracts the largest fines. The ICO treats this as systemic disregard for the regulation.

Pattern 3 — sector-specific aggravation. Cold calls in regulated sectors (pensions, claims management, financial advice) attract additional scrutiny from sector regulators (FCA, Pensions Regulator) on top of ICO action.

The maximum PECR fine is £500,000 per infringement. UK GDPR provides for substantially higher penalties (up to £17.5m or 4% of global turnover) for the data-protection elements of a breach.

What to have in place before dialling

A minimum compliant AI cold-calling deployment requires:

1. TPS and CTPS screening on every dial, with daily refresh and full audit log.

2. Two-party-consent call recording with secure UK-resident storage.

3. Caller and purpose disclosure scripted into the AI's opening line.

4. AI status disclosure scripted into the AI's opening line.

5. Real-time opt-out handling: when the caller says "do not call me again", the AI confirms, ends the call, and the suppression list is updated within the same business day.

6. Documented lawful basis under GDPR, with balancing-test evidence if relying on legitimate interests.

7. A data processing addendum (DPA) with your AI calling vendor covering all sub-processors.

8. A retention policy (typically 12 months) for call recordings and per-call audit data.

Pitfalls to avoid

Using AI as a regulatory loophole

It is not one. The ICO treats AI calls the same as human calls. Anyone who tells you AI calling avoids PECR is wrong.

Sourcing leads from unverified data brokers

Under GDPR, you must verify that the lawful basis for processing transfers cleanly when you buy a list. Most "marketing lists" sold cheaply do not have GDPR-compliant consent chains. The risk sits with the buyer.

Treating recording as optional

Recording is what proves the call was conducted compliantly. Without it, defending against an ICO investigation is dramatically harder.

The FrictionZero compliance model

Every FrictionZero AI cold-calling deployment includes TPS/CTPS screening on every dial, two-party-consent recording, scripted disclosure, real-time opt-out handling, GDPR-compliant data flows and full audit logging. We document the lawful basis with you, draft the DPA, and provide the compliance evidence pack you would need in an ICO investigation. We do not run campaigns that do not meet this bar.

For the service version of this — what we actually build and deploy — see AI cold calling (UK). For the broader voice category, see AI voice agent. For call-centre-scale outbound, see AI for call centres.

Legal FAQ

The questions
UK buyers ask.

In one sentence — is AI cold calling legal in the UK?

Yes, AI cold calling is legal in the UK when conducted in compliance with PECR (the Privacy and Electronic Communications Regulations), GDPR, and the Telephone Preference Service / Corporate TPS opt-out registers — and the ICO applies the same rules to AI calls as to human calls.

What is PECR and why does it matter for AI calls?

PECR — the Privacy and Electronic Communications Regulations 2003 (as amended) — governs direct marketing communications in the UK including phone, email, SMS and fax. It is the primary regulation that AI cold calling must comply with. PECR sits alongside UK GDPR; both apply simultaneously to any AI cold-calling campaign.

What is the Telephone Preference Service (TPS) and CTPS?

The TPS is the UK consumer opt-out register; the CTPS is the corporate equivalent. Any UK consumer or business can register their number to signal that they do not want unsolicited marketing calls. Before any AI cold call is placed, the dialled number must be screened against TPS (for consumer numbers) or CTPS (for business numbers). Calling a TPS-registered number without specific opt-in consent is a PECR breach.

What is the maximum ICO fine?

The ICO can impose monetary penalties up to £500,000 per PECR infringement under current rules, and significantly more under UK GDPR (up to £17.5 million or 4% of global turnover, whichever is higher) for data-protection breaches. Recent enforcement has trended towards larger fines for repeat offenders and systematic non-compliance.

Are B2B AI cold calls treated differently from B2C?

Yes. B2B calls are permitted to non-CTPS-registered business numbers without prior opt-in (the "soft opt-out" position) but must still respect any individual opt-out signalled during or after the call. B2C consumer calling has stricter consent requirements — TPS-registered numbers cannot be called without specific, recorded opt-in consent.

Does the AI need to disclose it is AI?

There is no explicit UK statutory requirement (as of May 2026) that AI callers disclose AI status. However, ICO guidance increasingly favours transparency, and several proposed regulatory updates would mandate disclosure. Best practice — and FrictionZero policy — is to disclose AI status at the start of every call. It is ethically sound, legally robust, and does not measurably reduce conversion.

What records must I keep?

For each call: the date and time, the dialled number, evidence of TPS/CTPS screening, the call recording (with two-party consent), the outcome, any consent or opt-out signals captured, and the suppression-list update if relevant. Retention is typically 12 months unless your sector regulator requires longer. The ICO can request these records during an investigation.

Can I use an AI to call my existing customers?

Calling existing customers about products or services similar to those they have already purchased is generally permitted under PECR's "soft opt-in" rules, provided they were given a clear opportunity to opt out at point of collection and on every subsequent contact. This is true whether the caller is human or AI. The soft opt-in does not cover prospects or cold lists.

What happens if I am reported to the ICO?

The ICO opens an investigation. They request your records — TPS screening evidence, recordings, consent management. If they find systematic non-compliance, they issue a monetary penalty notice. The largest recent PECR fines have hit £150,000-£500,000. Individual call breaches typically attract smaller penalties; repeat or systematic offending attracts the larger ones.

Is AI cold calling banned in any other UK regulation?

There have been periodic political discussions about banning unsolicited cold calling in specific sectors (notably pensions, claims management). As of May 2026, no blanket ban on AI cold calling exists in the UK. Sector-specific restrictions (financial advice cold calls, for example) remain in force and apply to AI callers equally.

Keep reading

AI Cold Calling (UK)

The service version — what FrictionZero builds and operates.

AI Voice Agent

The underlying voice platform for inbound and outbound.

AI for Call Centres

Call-centre-scale AI outbound deployments.

AI Receptionist

The inbound cousin — same agency, same compliance bar.

What is an AI Phone Agent?

The definition and deployment guide.

Get started

Ready to run AI outbound
without the regulatory risk?

The Friction Audit is free. We assess your current outbound posture, the compliance gaps to close, and the AI cold-calling deployment shape that fits. We do not run campaigns that do not meet the PECR/GDPR bar. Either we work together, or you leave with a clear compliance map.