Cold Outreach Compliance in the UK: GDPR, PECR, and What Actually Matters

Why Compliance Matters to Remote Sales Professionals in the UK

Cold outreach is legal in the UK. It is also regulated. The two facts are compatible, but many sales professionals treat them as mutually exclusive — either they ignore the regulatory framework entirely, or they become so cautious that they stop prospecting altogether. Both extremes are commercially harmful.

This guide is written for sales professionals and team managers operating in the UK who send cold emails, make cold calls, or use LinkedIn for outbound prospecting. It is not legal advice. It is a practical summary of the key frameworks and what they mean for everyday sales activity, based on publicly available guidance from the ICO (Information Commissioner's Office).

If you need legal advice specific to your situation, consult a solicitor who specialises in data protection law. What follows is background knowledge, not a compliance programme.

The Two Frameworks That Matter: GDPR and PECR

UK data protection is governed primarily by two pieces of legislation: the UK GDPR (the retained version of the EU regulation, as modified by the Data Protection Act 2018) and PECR (Privacy and Electronic Communications Regulations 2003, as amended). Understanding the difference between them is essential because they cover different activities.

UK GDPR governs the collection, storage, and processing of personal data — including the prospect's name, email address, company, job title, and phone number. Any time you collect or use this data, GDPR applies. PECR specifically governs direct marketing communications sent by electronic means: email, SMS, and automated telephone calls. Cold calling using a human caller is not covered by PECR — it is covered by UK GDPR and the Telephone Preference Service (TPS) rules instead.

The important practical consequence: cold email is subject to both UK GDPR (because you are processing personal data) and PECR (because you are sending an electronic direct marketing message). Cold calling by a human is subject to UK GDPR and TPS, but not PECR's opt-in rules.

Cold Email to Business Addresses: The Legitimate Interest Basis

Under PECR, sending marketing emails to individual consumers requires prior consent (opt-in). However, PECR contains an exemption for business-to-business communications to corporate subscriber addresses. The ICO's guidance draws a distinction: emails sent to corporate email addresses (name@company.com) are generally treated differently from emails sent to personal addresses, including sole traders.

For B2B cold email to corporate addresses, many organisations rely on the legitimate interests basis under UK GDPR, combined with the B2B exemption in PECR. To rely on legitimate interests, you must be able to demonstrate that: (1) you have a genuine legitimate interest, (2) the processing is necessary to achieve it, and (3) the individual's rights and interests do not override your legitimate interest. The ICO requires you to document a Legitimate Interests Assessment (LIA) if you rely on this basis.

In practice, this means: if you are sending cold B2B emails from your own company's domain to professional email addresses of businesses that plausibly have an interest in what you offer, and you make it easy to opt out, you are in a more defensible position than if you are blasting purchased lists to generic addresses with no relevance to your offer.

What the legitimate interest basis does not cover: emailing sole traders (who are treated as consumers under PECR), sending emails with no relevance to the recipient's business, or continuing to email anyone who has asked to stop.

Cold Calling: The TPS and CTPS Rules

Telephone Preference Service (TPS): Individuals who have registered their personal phone numbers with TPS have opted out of receiving unsolicited sales calls. It is illegal under PECR to call TPS-registered numbers for direct marketing purposes unless the individual has given specific consent to receive calls from your organisation.

Corporate TPS (CTPS): The equivalent register for corporate numbers. Businesses registered with CTPS should not be cold-called for direct marketing either.

The practical requirement for phone outreach: screen your call lists against TPS and CTPS before dialling. This is not optional. The ICO has issued fines for failing to screen against TPS. The screening service is provided by the Direct Marketing Association and others. Costs are modest relative to the risk.

Note: Cold calling that is not for direct marketing purposes — for example, a genuine research call that does not pitch a product — is in a different regulatory category. The line between research and sales is blurry and should not be used as a workaround for TPS obligations.

LinkedIn Outreach: The Practical Picture

LinkedIn InMail and connection requests are not electronic direct marketing messages under PECR in the same way that email is. LinkedIn is a professional network where users have created profiles with the expectation of being contacted professionally. The ICO has not issued specific enforcement guidance applying PECR to LinkedIn InMail as at the time of writing, but UK GDPR principles — lawfulness, fairness, transparency — still apply to how you process the data you collect about contacts.

The practical rules: do not harvest LinkedIn data en masse for use outside LinkedIn (scraping at scale violates LinkedIn's terms of service and potentially GDPR), respect connection declines and withdrawal of contact, and do not use LinkedIn to circumvent email opt-outs for the same prospect.

Data Storage: What You Must Do With Prospect Data

Under UK GDPR, you must have a lawful basis for storing prospect data, tell people how you use it (privacy notice), not keep it longer than necessary, keep it accurate, and keep it secure. For a small sales operation, this means:

• ◆Your CRM should have a privacy notice URL attached to it if it is publicly accessible.
• ◆Prospects who ask to be removed from your list must be removed promptly.
• ◆Contact data should not be shared with third parties without a basis for doing so.
• ◆Purchased contact lists should come with documentation that the data was lawfully collected.

What the ICO Actually Enforces

The ICO's enforcement record is instructive. Fines and reprimands tend to cluster around: sending large volumes of unsolicited marketing emails to consumers without consent, calling TPS-registered numbers at scale, and failing to honour opt-out requests. The ICO has not historically pursued individual sales reps doing modest volumes of B2B outreach with genuine business relevance. Scale, consumer targeting, and non-compliance with opt-outs are the common factors in enforcement actions.

This is not a suggestion that compliance does not matter for small-scale outreach. It is context: the compliance fundamentals — TPS screening, respecting opt-outs, B2B relevance — are manageable and significantly reduce risk even for high-volume outbound teams.

The Practical Checklist for UK Cold Outreach

• ◆Screen phone lists against TPS and CTPS before calling.
• ◆Document your Legitimate Interests Assessment for cold email if you rely on the LI basis.
• ◆Include a simple opt-out in every cold email.
• ◆Do not email sole traders without consent.
• ◆Do not continue contacting anyone who has asked to stop.
• ◆Use corporate email addresses for B2B outreach, not personal ones.
• ◆Do not purchase contact lists without verifying they were lawfully compiled.
• ◆Keep a suppression list of opt-outs and check it before each campaign.

Cold outreach is viable and legal in the UK for B2B sales when it is done correctly. The compliance burden is real but manageable. The greater risk to most outbound sales operations is not regulatory action — it is reputation damage from persistent, irrelevant outreach that reaches ICO complaints from annoyed prospects. Relevance, brevity, and easy opt-outs are both compliance best practice and good sales practice.