PECR
Privacy and Electronic Communications Regulations 2003. The UK rules every lender BDR team must understand before they send a single cold email or pick up the dialler.
Definition
PECR is the Privacy and Electronic Communications (EC Directive) Regulations 2003 — UK secondary legislation governing direct marketing by electronic means. It sits alongside, and is independent of, UK GDPR. The Information Commissioner's Office (ICO) enforces both.
What PECR covers
- Marketing emails and SMS to individuals
- Telephone marketing (including the Corporate Telephone Preference Service / CTPS)
- Fax marketing (yes, still on the books)
- Cookies and similar tracking technologies on websites
- Security and confidentiality of public electronic communications
The B2B distinction (critical for lenders)
PECR's email rules (Regulation 22) apply to individual subscribers. The definition matters:
- Individual subscribers — natural persons, including sole traders and (in most cases) partnerships. Need consent or soft opt-in.
- Corporate subscribers — limited companies (Ltd, PLC), LLPs, public bodies, government departments, Scottish partnerships. No consent required for B2B email to a corporate-subscriber address.
For a UK lender BDR team prospecting alt-lender competitors or SME borrowers via Companies House:
- Cold email to
[email protected]— fine (Ltd corporate subscriber). - Cold email to
[email protected]where "the local plumber" is a sole-trader business — needs care; default treat as individual subscriber. - Cold email to
[email protected]where Jane operates as Ltd — fine. - Cold email to
[email protected]— fine (LLP).
Soft opt-in (rarely used by lenders)
An exemption that allows marketing emails to individuals where:
- Their contact details were obtained during a sale or negotiations for a sale of a similar product;
- The marketing is for similar products only;
- They were given a clear opportunity to refuse at collection AND in every subsequent message;
- The original contact was within the last 5 years.
Not usable for purchased lists, scraped data, or "we saw you on LinkedIn" prospecting.
Phone marketing rules
Live calls — allowed unless the number is registered with the appropriate Preference Service:
- TPS (Telephone Preference Service) — for consumer numbers
- CTPS (Corporate Telephone Preference Service) — for business numbers
Both are mandatory suppression lists under PECR. Calling a CTPS-registered business is a regulatory breach. Practical rule for a UK lender BDR team: maintain a fresh CTPS/TPS suppression check against the dial list, refreshed at least monthly. Several UK providers (e.g. Vouchedfor compliance kits, dedicated TPS/CTPS APIs) wrap this as a simple HTTP call per prospect.
Penalties
The ICO has issued PECR fines from £20,000 to £400,000 per company. Recent enforcement focuses on:
- High-volume cold calls to TPS-registered numbers
- Bulk SMS without consent
- Email marketing without an unsubscribe link
- Ignoring previous opt-outs
Cold B2B email to corporate addresses has been a relatively low-enforcement area provided the corporate-subscriber rule is observed and unsubscribe requests are honoured.
Practical compliance checklist for a UK lender BDR team
- Maintain an internal suppression list keyed on email address + company number; honour all "stop" / unsubscribe requests within 24 hours.
- Screen the dial list against CTPS / TPS monthly minimum.
- Include a clear unsubscribe instruction in every marketing email (PECR requires it).
- For lead-list providers (like Borrowsignal): require the vendor's UK GDPR LIA on file, and verify they only deliver corporate-subscriber data — Borrowsignal filters out sole-trader-registered numbers by default.
- Document everything. ICO supervisory practice is to ask for the suppression list, the LIA, and the BDR script when investigating.
Related
- UK GDPR for lead gen — the privacy law PECR sits alongside
- FCA-regulated lender — FCA Consumer Duty adds further constraints on financial-services marketing
- FCA Consumer Duty and SME lending in 2026
- GDPR LIA generator — free template
Frequently asked
Does PECR apply to B2B cold emails to UK companies?
PECR's email rules apply to 'individual subscribers'. A 'corporate subscriber' (Ltd, LLP, public body) is not an individual subscriber, so B2B cold email to a corporate-subscriber business email is permitted under PECR without prior consent. Sole traders and most partnerships ARE individual subscribers and need consent or a soft opt-in.
What is the soft opt-in for B2B marketing?
The soft opt-in allows marketing emails to individuals where (1) the contact was collected during a sale or negotiation for a similar product, (2) the marketing is for similar products, (3) the recipient was given a clear opportunity to refuse at collection and in every subsequent message, (4) the original contact was within the last five years.
Can I cold-call a UK business under PECR?
Yes, with two constraints: screen against CTPS (calling a CTPS-registered business is a breach) and against TPS for sole traders. Maintain a fresh suppression check, refreshed at least monthly.
What does the ICO actually fine for PECR breaches?
£20,000 to £400,000 per company. Recent enforcement focuses on high-volume cold calls to TPS-registered numbers and bulk SMS to non-consented numbers. Cold B2B email to corporate addresses has been relatively low-enforcement provided the soft opt-in / corporate-subscriber rules are followed.