For agencies · Last reviewed 1 July 2026 · General information, not legal advice.
Nobody starts an agency because they enjoy reading regulations. But if outbound is part of how you grow, twenty minutes with the rules is worth more than any subject-line trick, because the difference between lawful prospecting and an ICO complaint is mostly knowing three things. Here they are.
UK outreach sits under two laws at once. PECR, the Privacy and Electronic Communications Regulations, sets the rules per channel: email has one rule, phone calls another. UK GDPR governs any personal data you handle along the way, and a named person's work email or direct line counts as personal data even in a business context. Ticking the PECR box does not tick the GDPR one, or vice versa. You need both.
The trap: PECR's marketing email rule protects "individual subscribers", and that bucket includes sole traders and most partnerships, not just consumers. An unsolicited marketing email to a one-man-band plumber can be a breach, even though it feels like B2B.
Limited companies and LLPs are corporate subscribers, and PECR's email rule does not prohibit unsolicited marketing to them, though GDPR still applies to any named individual's details. The practical upshot: know which side of the line each prospect sits on before you press send. Conveniently, Companies House tells you exactly that, because if the business is not on the register it is probably not a company.
Unsolicited live marketing calls must not be made to any number on the Telephone Preference Service or its business version, the CTPS. Businesses do register, in numbers. Screening your list against both before dialling is a legal requirement, not a courtesy, and screening licences cost a fraction of the fines handed out for skipping them. If you cold call at any scale without screening, you are not running a growth channel, you are running a liability.
For the GDPR side of B2B prospecting, most agencies rely on legitimate interests as the lawful basis. It is a genuine route, but it is an assessment, not a password. The ICO expects you to work through three questions and keep a note of your answers: is the interest real (winning clients qualifies), is this way of pursuing it necessary, and does it fairly balance against the interests of the person you are contacting. Reaching a business through the contact details it publishes for business enquiries, about a service relevant to that business, will normally pass. Write the assessment down once and file it. The discipline is the point.
The ICO fines companies for unlawful marketing regularly, and it is nearly always the same story: bulk volume, bought lists, no screening, no opt-out. Targeted first-touch outreach that is honest about who you are and easy to decline generates neither complaints nor cases. Read plainly, the law rewards exactly the kind of specific, evidence-led approach that also happens to get replies. That is a rare alignment and worth taking advantage of.
Our terms require Weakspot customers to keep their outreach lawful. This guide is what that clause means in practice.
Sources: Privacy and Electronic Communications (EC Directive) Regulations 2003, regulations 21 and 22; UK GDPR articles 6 and 21; ICO direct marketing guidance and enforcement register; TPS/CTPS.