PECR compliance checker
8 questions about your UK B2B outbound practice. Instant verdict + remediation list. Not legal advice — but a useful first pass before the ICO is.
1 Do you email-blast only corporate subscribers (Ltd, PLC, LLP) — never sole traders or partnerships?
PECR Reg 22 only applies to "individual subscribers". Sole traders and most partnerships are individual; Ltd/PLC/LLP are corporate.
Good — corporate subscribers don't require consent for B2B email under PECR.
Risk: emailing individual subscribers (sole traders, most partnerships) without consent or soft-opt-in is a PECR breach. Action: filter your list by corporate status.
2 Does every marketing email include a clear unsubscribe instruction?
PECR requires the recipient be given a way to refuse further messages in every marketing email.
Good — meets PECR. Make sure the unsubscribe is honoured within 28 days (ideally 24h).
Risk: missing unsubscribe is a per-email PECR breach. Action: add a one-line "Reply STOP to unsubscribe" minimum.
3 Do you screen your dial list against CTPS (and TPS for any sole traders) at least monthly?
Calling a CTPS-registered business or TPS-registered consumer line is a PECR breach. Maximum ICO fine: £400k.
Good — meets the screening expectation.
Risk: CTPS / TPS screening is mandatory before each calling campaign. Action: integrate a CTPS API (~£100/mo for most providers) or manual upload from the CTPS file (free, updated weekly).
4 Do you honour unsubscribe / "stop calling" requests within 24 hours?
PECR doesn't fix a deadline but ICO enforcement typically requires "without undue delay" — 28 days outer limit, 24h good practice.
Good — within expectation.
Risk: continuing to contact someone after they've opted out is the most common ICO complaint source. Action: implement a suppression-list with same-day write and pre-send check.
5 Do you maintain a written Legitimate Interest Assessment (LIA) for the data you use?
Under UK GDPR (the privacy law PECR sits alongside) you need an LIA for legitimate-interest processing — purpose, necessity, balancing test.
Good — UK GDPR baseline met.
Risk: ICO supervisory reviews ask for the LIA first. Action: generate one with our free tool in 5 minutes.
6 Are your outbound senders identifiable — real name + real business + reply-to address?
PECR prohibits sending direct marketing without disclosing identity. Spoofed sender or no reply-to is a breach.
Good — identifiable sender meets PECR Reg 23.
Risk: anonymous or spoofed sender is a Reg 23 breach. Action: every outbound email and signature must show real name, business name, address.
7 Is your data source provable — vendor LIA on file, scrape-free, opt-in records or statutory-public origin?
If the data is scraped or from an unknown source, you can't defend the basis. ICO will ask.
Good — provenance is the strongest defence against an ICO complaint.
Risk: undocumented data source is the most common ICO action trigger. Action: switch to statutory-public sources (Companies House) or vendor with LIA + DPA on file.
8 Do you keep a record of every campaign — date, target list, sender, content, suppression-applied — for at least 12 months?
Not a strict PECR requirement, but the standard ICO ask in a complaint investigation. No records = no defence.
Good — records support fast supervisory response.
Risk: no campaign records means slow ICO response = harder to defend. Action: log every send in your CRM or marketing tool; export quarterly.
—
—
This is a working check, not legal advice. ICO complaints are fact-specific; consult counsel for material concerns. Read more in our PECR glossary entry.