UK AI calling compliance sits at the intersection of three regulatory frameworks — PECR, UK GDPR, and ICO enforcement guidance — and the failure modes are not subtle: fines for PECR breaches start at £500k for serious cases, and the ICO has been actively investigating AI-assisted outbound calling since 2023. The good news for UK SMEs running voice agents is that compliance is an engineering problem, not a legal one — the rules are clear enough that the right scripts, opt-out flows, TPS screening, and audit logs handle the vast majority of the risk.
This guide is what we build into every voice agent deployment. Not legal advice, but a practical operating manual for the patterns that satisfy the ICO's published expectations for AI-assisted calling.
How to decide in 30 seconds
Are you calling consumer (B2C) numbers?
YES → explicit consent or prior business relationship required under PECR.
Screen all numbers against TPS before calling. Continue.
NO → B2B calls to business numbers?
Are you calling business numbers (corporate, not personal mobiles)?
YES → CTPS screening required. Individual consent not required if:
(a) number is a registered business number AND
(b) call is relevant to the business's activities.
Still must honour opt-outs instantly. Continue.
Are you recording calls?
YES → disclosure required at start of call. No exceptions. Continue.
Are you storing any call data (name, email, notes)?
YES → GDPR lawful basis required. Document it. Retention schedule required.
Regulatory Frameworks
The three rules every UK AI calling deployment must satisfy:
PECR (Privacy and Electronic Communications Regulations 2003). The gate rule: do you have permission to make this call? For B2C, you need explicit consent or a prior business relationship. For B2B corporate numbers, legitimate interest is the typical basis but TPS/CTPS screening is mandatory. PECR enforcement is the ICO's primary tool for AI calling fines — the high-profile cases (£200k+ fines) have all been PECR violations, not GDPR.
UK GDPR. The data rule: what can you do with the information you collect? Every piece of data captured during a call — name, email, phone number, expressed intent, recorded conversation — requires a documented lawful basis, a stated retention period, and a mechanism for data subjects to access, correct, or delete it. The lawful basis options for outbound calling are typically Legitimate Interest (B2B, prior relationship) or Consent (B2C cold outreach). Legitimate Interest requires a three-part test: purpose, necessity, and balancing test.
ICO Enforcement Guidance on AI. The ICO published specific guidance in 2023–2024 on AI-assisted calling and automated decision-making. Key requirements relevant to voice agents: transparency (callers must know they're talking to an AI), meaningful opt-out (not buried, immediate), and no profiling that has "significant effect" without human review. The guidance is non-binding but represents the ICO's stated enforcement priorities.
PECR in Depth
PECR's rules on unsolicited marketing calls are tighter than most SMEs assume. The headline points:
What counts as "unsolicited"? Any call where you haven't previously obtained explicit consent from that specific individual for marketing calls. A web form opt-in that says "sign up for updates" does not cover outbound calling. The consent must explicitly reference calls, and it must be granular (not bundled with 12 other permissions in the terms and conditions). Post-PECR reform discussions have not changed this — the ICO has continued to enforce the consent standard strictly for consumer calls.
Prior business relationship exception. If an individual has recently purchased from you, or has submitted a specific enquiry requesting follow-up, this creates a limited window for unsolicited follow-up calls. "Recently" is not defined in PECR but the ICO treats 6 months as a reasonable outer limit. This exception does not apply to lists purchased from third parties, regardless of the list provider's claims about consent.
B2B PECR rules. Calls to corporate numbers (numbers registered to a business, not a personal mobile used for work) are exempt from the B2C consent requirement. But CTPS-registered numbers must still be screened, and personal mobiles used by employees are treated as individual numbers under PECR. The practical implication: build TPS and CTPS screening into every outbound list, not just consumer campaigns.
Penalties. The ICO has issued fines between £50k and £500k for PECR breaches since 2020. The high-end fines have involved large volume, deliberate non-compliance, or repeated enforcement. Most SME violations that come to the ICO's attention start with consumer complaints — a single person who feels harassed by calls can trigger an investigation that finds systemic non-compliance.
GDPR Lawful Basis
The two lawful bases that cover 95% of AI calling deployments:
Legitimate Interest (Article 6(1)(f)). The most commonly used basis for B2B outreach and follow-up on prior enquiries. Requires completing a Legitimate Interest Assessment (LIA) that documents: (1) what the purpose is, (2) why processing is necessary for that purpose, and (3) a balancing test weighing the business interest against any risk to the data subject's rights. For a voice agent calling a prospect who submitted a demo request: purpose is fulfilling the enquiry, necessity is clear, and balancing is straightforward (the individual solicited contact). Keep LIAs on file — the ICO can request them.
Consent (Article 6(1)(a)). Required for B2C cold outreach. Must be freely given, specific, informed, and unambiguous — "I agree to the terms and conditions" doesn't cut it. Must be as easy to withdraw as to give. Consent collected for one purpose (email newsletter) doesn't extend to another (phone calls). Document consent with timestamps and the exact wording the individual agreed to.
Data minimisation. Only collect what you actually need for the stated purpose. A booking agent that captures name, email, phone, and expressed intent is compliant. An agent that captures job title, company size, tech stack, and turnover for a "30-minute demo booking" may not be — the additional fields need a documented purpose. This principle is particularly relevant for AI agents that can be prompted to gather extensive profiling data mid-call.
Retention. Define and document retention periods for each data category. Call recordings: typically 90 days for quality/compliance purposes, with a legal hold exception. CRM contact records: duration of business relationship + 6 years (statutory limitation period) for contract data; shorter for prospecting data where no deal resulted. Automated deletion schedules enforced at the database level, not manual processes.
TPS / CTPS Screening
The Telephone Preference Service (TPS) and Corporate TPS (CTPS) are the UK's opt-out registries. Calling a TPS-registered number without explicit consent (even for B2B calling where PECR would otherwise permit it) is a PECR violation. Screening is mandatory, not optional.
Operational requirements:
- Screen before first contact: check every number against the TPS/CTPS API before the first call. Most TPS data providers (ICO-licensed) offer API access with same-day updates.
- Re-screen monthly: numbers are added to TPS continuously. A number that was clean 90 days ago may be registered today. Re-screen your entire contact list monthly and flag any newly-registered numbers for suppression.
- Store the screen timestamp: your audit trail must show the TPS check date for each number called. The ICO expects to see this during an enforcement investigation.
- Honour suppression permanently: once a number is on your suppression list (TPS-registered or manually opted out), it stays there unless the individual explicitly consents to re-contact. There is no expiry on suppression.
The technical implementation: a pre-call webhook in your voice agent orchestration layer that queries the TPS API (or a cached TPS dataset updated daily) before the call is initiated. If the number is suppressed, write the suppression to the CRM and route to a "do not call" queue rather than proceeding. This takes under 200ms and prevents the most common class of PECR violations.
Call Recording Rules
Recording calls in the UK requires compliance with both PECR (electronic communications interception rules) and UK GDPR (data subject rights over their recorded data). The practical requirements:
Disclosure at the start of every recorded call. The disclosure must be explicit, at the very beginning of the call (before any conversation), and must state: (1) that the call is being recorded, (2) the reason for recording. "This call may be recorded for quality and training purposes" is the minimum. If recording is optional, you should offer an opt-out: "If you'd prefer not to be recorded, please say so now." In practice, most B2B calls where the caller initiated contact (enquiry, demo request) do not require an active opt-out offer — disclosure alone is sufficient. For cold outbound calls, an explicit opt-out option is best practice even if not strictly required.
Access and deletion requests. Recorded calls are personal data. A data subject can request a copy of any call recording involving them and can request deletion when there is no legal basis for continued storage. Build a mechanism to locate recordings by phone number or contact ID, not just by call SID. Recordings stored as flat files in S3 with no metadata are almost impossible to respond to a subject access request on.
Security. Recordings must be stored securely (encrypted at rest, access-controlled) and transferred over encrypted channels. S3 server-side encryption and IAM-controlled access is the baseline. Audit logs of who accessed which recording when are good practice and required in regulated sectors.
Operational Patterns
The four scripts and flows every compliant UK voice agent deployment needs:
Opening disclosure script. The first words the agent says must satisfy PECR and GDPR transparency requirements:
Mid-call opt-out handling. The agent must recognise opt-out signals — "stop calling me", "remove me", "I'm not interested, don't call again" — and route to a suppression flow that writes to the CRM and halts any further campaign actions. The opt-out must take effect immediately and must persist across all channels (calls, SMS, email) unless the individual explicitly consented to one channel but not others.
Handoff on ambiguity. Any call where the prospect expresses significant distress, makes a complaint, references legal action, or explicitly requests a human should route to human handoff immediately. The agent should not attempt to handle these — the reputational and regulatory risk of a poorly-handled edge case outweighs any efficiency gain.
Data capture limits. Instruct the agent's system prompt explicitly about what data categories it is permitted to ask for. A booking agent that is configured to capture only name, email, phone, and intent cannot accidentally capture sensitive data (health conditions, financial details, political views) even if a prospect offers it unprompted. Data minimisation is an architectural decision, not just a policy.
Audit Trail Requirements
The audit trail the ICO expects to see during an investigation into an AI calling deployment:
| Event | Required fields | Retention |
|---|---|---|
| TPS screen | Number, screen timestamp, result, data provider version | Duration of use + 1 year |
| Call initiated | Number, campaign ID, lawful basis, agent version | Duration of use + 1 year |
| Opt-out received | Number, timestamp, channel, verbatim phrase, agent state | Permanent |
| Recording started | Call SID, timestamp, disclosure confirmed | Recording retention period |
| Data captured | Fields captured, timestamp, purpose | Data retention period |
| Human handoff | Call SID, reason, timestamp | 90 days |
Store all events in Postgres (not logs files or spreadsheets) with an append-only insert pattern. This structure maps to your speed-to-lead event table if you're also tracking response-time metrics — a single events table that captures both commercial and compliance events is simpler to maintain than two separate systems.
The audit trail is also the input for your QA scorecard system — the consent and disclosure dimension in the rubric grades against the same events. Build it once and use it for both.
Good / Bad / Ugly
Good. Clear AI disclosure + opt-out at the very start of every call. TPS/CTPS screening on every number before every call. Activity logs with timestamps for every compliance-relevant event. Opt-out suppression that persists across all channels. Data minimisation enforced in the system prompt. GDPR lawful basis documented in a Legitimate Interest Assessment.
Bad. Recording without disclosure. Ambiguous purpose statement ("I'm calling to discuss your account" rather than the specific reason). Opt-out that only applies to the current campaign, not future ones. A suppression list maintained in a spreadsheet that only one person has access to. Capturing additional data fields "while we're talking" that weren't covered by the original lawful basis.
Ugly. Continuing to call after a clear refusal. AI agent that claims to be human when asked directly. Using purchased list data without verifying the consent basis used to collect it. A production deployment where nobody knows who is responsible for a data subject access request on a call recording. Monthly TPS rescreening that happens in theory but hasn't actually run in four months because "the API key expired."