On 20 May 2026, the Information Commissioner’s Office said it had fined Energy Prices Direct Limited £160,000 after the company made more than 700,000 unsolicited marketing sales calls to numbers registered with the Telephone Preference Service and Corporate Telephone Preference Service. The calls ran between January 2024 and January 2025, triggered more than 30 complaints, and in some cases callers did not properly identify themselves.
This matters because the case is a plain PECR enforcement point, not an edge case. If your team buys calling data, uses publicly available numbers, or runs outbound sales campaigns into small businesses, the ICO expects you to screen those numbers first and prove why each call was lawful.
What the ICO says happened
The ICO’s enforcement record for Energy Prices Direct Limited, dated 30 March 2026, says the company obtained phone data from public sources and list providers but failed to screen it against the TPS and CTPS before making marketing calls. The later ICO news release adds that some recipients were called repeatedly and that one employee allegedly denied making a sales call while discussing electricity prices.
That second point is worth noting. PECR compliance covers more than the source of the list. The ICO also says callers must say who they are, present a contactable number, and provide contact details if asked. The regulator linked this penalty to failures under both regulation 21 PECR and regulation 24 PECR.
Why the calls were unlawful
Regulation 21 says you must not make unsolicited live direct marketing calls where the subscriber has already objected or where the number is listed on the TPS or CTPS. There is a narrow exception in regulation 21(4): the subscriber can tell a specific caller that they do not object to calls from that caller. The ICO’s live marketing calls guidance says that, in practice, if you want to call a TPS or CTPS number you need a standard very close to consent from that subscriber for your own calls.
Regulation 24 covers the information that has to be provided during direct marketing calls. For live calls, the caller must provide its name and, if the recipient asks, either an address or a free-to-call number. Since the 2016 PECR amendments, callers must also not withhold the identity of the calling line. Those are routine controls, but they still get missed in real campaigns.
The practical mistake in this case was basic: Energy Prices Direct appears to have treated bought-in and public-domain numbers as usable unless someone complained. PECR works the other way round. You must screen first, keep evidence, and stop if the number is on the register or the person has already objected.
What this means for sales and compliance teams
If you run outbound calling, the lesson is not “be more careful with scripts”. It is “fix the list process”. Before a campaign starts, someone should be able to answer four questions in writing: where did the number come from, when was it collected, when was it screened against TPS or CTPS, and what lawful basis or subscriber permission supports the call. If you cannot answer those four points, the campaign is not ready.
- Screen every live-call list against TPS and CTPS close to the call date, not once at the start of the quarter.
- Keep supplier contracts and screening logs. “The broker said it was compliant” is not a defence.
- Train agents to identify the business plainly and not disguise the nature of the call.
- Check that your calling platform presents a return number that recipients can use.
If you want a sense of how often this goes wrong, our earlier write-ups on illegal automated marketing calls and another TPS enforcement case show the same pattern: weak list controls, weak evidence, and sales activity that carries on long after the law says stop.
What managers should do now
Start with one audit. Pull a recent outbound call list and test whether your business can show screening evidence for each number, a retained objection history, and a script that tells recipients who is calling. Then look at any bought-in data source and ask whether you can trace the source cleanly enough to defend it to the ICO. Energy Prices Direct was fined £160,000 after one year of calling activity. That is a high price for controls that should have existed before the first dial.
Teams that market by phone, email and text usually need one rulebook rather than three separate habits. Measured Collective Plus is the simplest starting point if you need PECR and data-protection training across sales, marketing and compliance teams.
