Marketing calls, emails and texts from accountancy practices in the UK are governed by the Privacy and Electronic Communications Regulations 2003 (PECR),
which state that you need clear consent before contacting individuals about additional services.
These regulations apply to sole traders, partnerships, and the directors of your corporate clients too, and if not followed, the ICO can now fine you up to 4% of turnover following the Data (Use and Access) Act 2025. This article focuses on marketing communications, and the how to get consent from your clients without causing friction.
What PECR means for your practice
You finish a tax return for a client and notice they'd benefit from another service you offer. You draft a quick email to mention it.
Stop there.
That email may well count as direct marketing, and you might need explicit consent before sending it.
These rules sit inside PECR (Statutory Instrument 2003/2426) - is a set of UK regulations that
complements (without overriding) the UK GDPR and the Data Protection Act 2018.
It's enforced by the Information Commissioner's Office (ICO, soon to be known as
the Information Commission), which has the power to issue fines.
PECR also covers other areas of data privacy, such as the use of cookies and tracking technologies. Most people are familiar with the requirement that websites must inform users about the cookies they use, explain their purpose, and obtain informed consent before placing non-essential cookies on a user's device.
For context: PECR has its origins in the European Union's 2002 ePrivacy Directive (also known as the Directive on Privacy and Electronic Communications). The UK transposed it into domestic law as a statutory instrument, with the regulations coming into force on 11 December 2003. They've been amended several times since, and following the UK's exit from the EU were retained under the European Union (Withdrawal) Act 2018. PECR now sits alongside the UK GDPR and the Data Protection Act 2018, setting out specific requirements for marketing calls, emails, texts, and faxes (if you remember what those are).
Why this matters to your practice
As an accountancy practice, you are likely to want to contact clients occasionally to make them aware of other services you can provide that would be of value to them (and your clients would want that too). But under PECR, that contact is likely to be perceived as unsolicited direct marketing.
You may not think this applies to you. However, when you feel duty-bound to tell a client how you might be able to help them in new ways, that would likely be perceived as a marketing communication.
You must obtain consent before sending marketing emails or texts to your unincorporated clients (sole traders and partnerships) and to individuals such as the directors of your corporate clients. Cold calling is also regulated.
The simplest way to ensure your firm obtains appropriate consent is to systemise the process through your standard engagement letter, or another stage of your onboarding.
A quick note on enforcement
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025, amending PECR alongside the UK GDPR and the Data Protection Act 2018. Key provisions came into effect on 5 February 2026, although in practice few of them are relevant to a small or medium-sized accountancy practice.
The one you should be aware of: the ICO now has greatly enhanced enforcement powers and may impose fines of up to 4% of turnover for PECR violations.
So what do I need to know?
Leaving faxes to one side (PECR surely covers faxes just to close a possible loophole), the requirements cover calls and electronic mail (emails and texts) that count as marketing.
Phone calls
PECR prohibits making unsolicited marketing calls to individuals who have either registered with the Telephone Preference Service ('TPS', as described in regulation 26), or who have previously notified you that they do not wish to receive such calls. In the case of a limited company or other corporate body, the relevant register is the Corporate Telephone Preference Service ('CTPS').
Your practice must also not communicate by way of recorded marketing information through automated calling, except where the person receiving the call has previously notified you that they consent to such communications.
Electronic mail
PECR defines 'electronic mail' as any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient and includes messages sent using a short message service.
To put it more succinctly: emails and texts.
Generally, your practice must not send unsolicited marketing emails or texts unless the recipient has consented. There's one exception. If you obtained their contact details while providing (or negotiating the provision of) a product or service, and the marketing is for similar products or services, you can contact them. However, the recipient must be given a simple way of refusing further marketing each time you contact them.
A final note here: you must never send marketing emails or texts on behalf of your practice where the identity of the practice is disguised or concealed. The simple way to comply here is to include the practice name in your email signature, and to send proposals with your branding clear throughout.
What this means for client onboarding
To be sure you have the right authorisation to contact a client about additional services, your onboarding process needs to do three things:
- Explain why you're asking for the authorisation
- Document the authorisation clearly
- Cover telephone calls and electronic mail separately (clients need to understand they're authorising contact by phone, by email, and/or by SMS)
This might be a part of your standard engagement letter, or it might be incorporated into your onboarding process in another way. Either works. The point is that consent is captured up front, in writing, so you don't have to think about it again when the moment comes to actually contact the client.
Get this right at the engagement stage and the rest of PECR mostly takes care of itself: when you do reach out to a client about additional services, the authorisation is already on file.
-----------
Want to see how to do this in Socket?
The simplest fix is to build consent into your proposal, engagement letter or onboarding flow,
Socket is built to handle the consent step for you.
Socket captures consent for phone, email, and SMS as part of every engagement, so authorisation for each channel is documented up front and properly stored against the client record. No follow-up forms, no separate consent flows, no gaps to chase later.
Read our help guide on capturing PECR consent in Socket.
