UK nuisance-call and spam-text statistics — how much the ICO has fined companies under PECR, the new £17.5m fine cap from February 2026, complaint volumes, TPS registrations and the scale of scam calls and texts, drawn together from official data.

Nuisance calls, spam texts and unwanted marketing emails sit under a separate rulebook from the headline data-protection regime: the Privacy and Electronic Communications Regulations (PECR), enforced by the Information Commissioner's Office (ICO), with the Telephone Preference Service (TPS) and Ofcom's scam-message research providing the wider context. This page draws the numbers together from the ICO's enforcement database and its nuisance calls and messages datasets, Ofcom's research, and the TPS registration count. Think of PECR marketing enforcement and UK GDPR data-protection fines as the ICO's two enforcement ledgers — this page covers the first; our GDPR fines statistics page covers the second.

Key facts and figures

  • £4.63 million in PECR fines has been issued by the ICO across 49 monetary penalty notices for unsolicited direct marketing (March 2022–April 2025).
  • £17.5 million or 4% of global annual turnover — the new maximum PECR fine from 5 February 2026, up 35-fold from the previous £500,000 cap.
  • £94,490 — the average ICO PECR fine across those 49 penalty notices.
  • 44,404 nuisance-call complaints were received by the ICO in 2024, making it the regulator's single most common complaint type.
  • 16.9 million numbers were registered with the Telephone Preference Service — the UK's "do not call" list — as of 2024.
  • 4,046,947 marketing texts earned Allay Claims Ltd a £120,000 PECR fine in January 2026, generating over 46,000 spam reports.
  • 67.7 million marketing emails sent without valid consent led to a £105,000 fine for ZMLUK Ltd in January 2026.
  • 100 million suspicious messages were reported to mobile operators via the 7726 service in the year to April 2025 (Ofcom).

Figures are the latest available as of July 2026, and this page is updated as the ICO adds actions to its enforcement database, refreshes its nuisance calls and messages datasets, and as Ofcom and the TPS release new research.

How much has the ICO fined companies for nuisance calls and spam texts?

£4.63 million in total: the ICO has issued 49 PECR monetary penalty notices worth £4,630,000 for unsolicited direct marketing between March 2022 and April 2025, according to an analysis of ICO data by GRC Solutions. That works out at an average of roughly £94,490 per fine — a figure that captures how PECR enforcement has historically worked, with steady, mid-five-figure penalties against nuisance-marketing firms rather than the occasional multi-million-pound headline that characterises UK GDPR fines.

These penalties are the ICO's "bread-and-butter" enforcement. For years, the majority of the regulator's total fines by count have been PECR fines against rogue call centres, lead-generators and text-spam operations, not data-breach penalties under the UK GDPR. The two are entirely separate ledgers: PECR governs how you may market by phone, text and email, while the UK GDPR and Data Protection Act 2018 govern how personal data is handled and secured. For the data-protection side — the British Airways, Capita and TikTok fines — see our GDPR fines statistics page.

What is the maximum fine for breaching PECR in the UK?

£17.5 million, or 4% of total worldwide annual turnover, whichever is higher, is now the maximum PECR fine. This rose from just £500,000 on 5 February 2026, when the relevant provisions of the Data (Use and Access) Act 2025 commenced — a 35-fold increase that puts nuisance-marketing and cookie breaches on the same footing as serious data-protection failures. The change was analysed by law firm Mayer Brown and corroborated by the Data Protection Network.

The significance is hard to overstate. Under the old £500,000 cap, a firm making millions of unlawful calls faced a penalty that many treated as a cost of doing business; some simply dissolved the company and started again to avoid paying. The new maximum aligns PECR with the UK GDPR's higher tier of £17.5 million or 4% of global turnover, giving the ICO far more room to make a fine genuinely deter a well-resourced operator. Because the cap changed only in February 2026, every fine listed further down this page was issued under the old £500,000 ceiling — the effect of the new maximum will show up in enforcement from 2026 onwards.

What are the biggest recent PECR fines?

The ICO issues named PECR fines close to monthly, and the most recent verified penalty is £160,000, against Energy Prices Direct Ltd in May 2026 for more than 700,000 unsolicited marketing calls to TPS and Corporate TPS-registered numbers made between January 2024 and January 2025. The table below collects the notable recent penalties, all issued under the old £500,000 cap.

FineOrganisationDateWhat happened
£160,000Energy Prices Direct LtdMay 2026Over 700,000 unsolicited marketing calls to TPS/CTPS-registered numbers (Jan 2024–Jan 2025).
£240,000Outsource Strategies LtdApril 20241,346,503 unwanted marketing calls to TPS-registered "do not call" numbers.
£120,000Allay Claims LtdJanuary 20264,046,947 marketing texts, generating more than 46,000 complaints via the 7726 service.
£105,000ZMLUK Ltd (formerly Zuru Media)January 202667,772,285 marketing emails sent without valid consent (part of a £225,000 combined penalty).
£140,000HelloFresh202279,779,279 spam emails and 1,113,734 spam texts over seven months, breaching PECR Regulation 22.
£100,000Dr Telemarketing LtdApril 2024Part of a £340,000 combined action with Outsource Strategies over nuisance calls.

Two patterns stand out. First, the volumes are enormous relative to the penalties: ZMLUK's fine of £105,000 covered nearly 68 million emails, and HelloFresh's £140,000 covered almost 80 million spam emails plus 1.1 million texts, sent over just seven months in 2021–22. Second, the "do not call" list is central: the biggest call-based fines punish calls made specifically to numbers registered with the TPS, where the recipient has actively opted out of marketing calls.

Do TPS-registered numbers still get marketing calls?

Yes — routinely, which is exactly why the fines above exist. In a single April 2024 enforcement action, the ICO fined two companies £340,000 in total — Outsource Strategies £240,000 and Dr Telemarketing £100,000 — for almost 1.43 million unwanted calls to "do not call" numbers over 13 months. Outsource Strategies alone was responsible for 1,346,503 unwanted marketing calls to TPS-registered numbers. Registering with the TPS is a legal signal that a subscriber does not want unsolicited sales and marketing calls, and it is unlawful under PECR to make such calls to a registered number without specific consent.

The scale of the TPS gives a sense of how many people have opted out. As of 2024, 16,898,518 numbers were registered with the Telephone Preference Service — close to 17 million — according to the TPS figures quoted by the ICO. Registration is free and does not expire, yet complaints show that a determined minority of firms ignore the list entirely. TPS registration remains the single most effective step an individual can take to reduce legitimate UK marketing calls; it does not, however, stop overseas scam operations or spoofed numbers, which fall outside PECR's reach and into the scam-call research covered lower down.

How many nuisance-call complaints does the ICO receive each year?

44,404 nuisance-call complaints were received by the ICO in 2024, making nuisance calls the regulator's single most common complaint type that year, according to ICO complaints data compiled by Statista. Nuisance calls and messages have topped or near-topped the ICO's complaint categories for years — a steady stream of public reports that feeds the enforcement pipeline and shapes which sectors the regulator targets.

The ICO publishes monthly PECR complaint totals in its nuisance calls and messages datasets each year, broken down by live calls, automated (recorded) calls, spam texts and marketing emails. Complaint volume is not the same as harm — a single aggressive campaign can generate tens of thousands of reports — but it is the clearest ongoing signal of how much unwanted marketing UK consumers are still receiving. The complaint numbers also explain why PECR fines outnumber UK GDPR fines by count: the public reports nuisance marketing far more often than it reports a data breach it may never learn about.

How big is the spam-text and marketing-email problem?

Nearly 68 million marketing emails in a single case: the January 2026 ZMLUK Ltd fine of £105,000 covered 67,772,285 emails sent without valid consent, part of a £225,000 combined penalty. Spam texts reach similar scales. Allay Claims Ltd was fined £120,000 in January 2026 for 4,046,947 marketing texts that generated more than 46,000 complaints through the 7726 spam-reporting shortcode — the free service that lets mobile users forward suspicious texts to their network.

The 7726 reporting data is a useful independent yardstick. HelloFresh's 2022 fine of £140,000 — for 79,779,279 spam emails and 1,113,734 spam texts sent between August 2021 and February 2022 — was underpinned by 8,729 complaints to the 7726 shortcode about that single campaign. Under PECR Regulation 22, marketing by electronic mail (which includes text messages) generally requires the recipient's prior consent, subject to a narrow "soft opt-in" for existing customers. The recurring theme across these cases is missing or invalid consent: firms relying on bought-in lists, pre-ticked boxes or bundled permissions that do not meet the PECR standard.

How common are scam calls and texts in the UK?

42% of UK phone users said they had received a suspicious call in the previous three months, and 50% of mobile users received a suspicious text between November 2024 and February 2025, according to Ofcom research published in February 2025. An estimated 100 million suspicious messages were reported to mobile operators via the 7726 service in the year to April 2025.

A clarification on scope: scam calls and texts are related to, but distinct from, the nuisance-marketing that PECR enforces. PECR and the ICO deal with unlawful marketing — real UK businesses breaking the consent and TPS rules — while outright fraud and spoofing are largely the domain of Ofcom, the telecoms networks and the police. The Ofcom figures here are the best available measure of how much unwanted contact UK consumers face overall, and they dwarf the marketing cases the ICO fines: the enforcement statistics capture the sliver of the problem that is both domestic and provably unlawful under PECR. Where scams cross into large-scale data theft, that becomes a data-protection matter — see our phishing statistics page for how those attacks are measured.

Frequently asked questions

How much has the ICO fined companies for nuisance calls and spam texts?

Around £4.63 million in total: 49 PECR monetary penalty notices worth £4,630,000 for unsolicited direct marketing between March 2022 and April 2025, averaging roughly £94,490 each. Recent individual fines include £160,000 against Energy Prices Direct Ltd (May 2026), £120,000 against Allay Claims Ltd and £105,000 against ZMLUK Ltd (both January 2026).

What is the maximum fine for breaching PECR in the UK?

£17.5 million or 4% of global annual turnover, whichever is higher, from 5 February 2026 under the Data (Use and Access) Act 2025. Before that date the maximum PECR fine was £500,000, so every named fine to date was issued under the old cap.

How many nuisance-call complaints does the ICO receive each year?

The ICO received 44,404 nuisance-call complaints in 2024, its single most common complaint type. The regulator publishes monthly PECR complaint totals in its nuisance calls and messages datasets, split between live calls, automated calls, spam texts and marketing emails.

Do TPS-registered numbers still get marketing calls?

Yes. Despite around 16.9 million numbers being registered with the Telephone Preference Service as of 2024, some firms ignore the list — Outsource Strategies alone made over 1.3 million unwanted calls to registered numbers. Registering is still the most effective step to reduce legitimate UK marketing calls, but it does not stop overseas scam or spoofed calls, which fall outside PECR.

What is the difference between PECR fines and UK GDPR fines?

They are the ICO's two enforcement ledgers. PECR fines punish unlawful electronic marketing — nuisance calls, spam texts and emails, and cookie breaches. UK GDPR and Data Protection Act fines punish the mishandling of personal data, such as data breaches and security failures. See our GDPR fines statistics page for the data-protection side.

What is the 7726 spam-reporting service?

7726 is a free UK shortcode for forwarding suspicious texts (and, on some networks, calls) to your mobile operator so they can be investigated and blocked. Complaint volumes to 7726 are used as evidence in ICO cases — Allay Claims generated over 46,000 reports and the HelloFresh campaign generated 8,729 — and Ofcom estimates around 100 million messages were reported via the service in the year to April 2025.

Sources & references

Marketing by phone, text and email is only lawful if your team understands consent, the TPS and PECR. Train them in UK data protection and stay off the ICO's enforcement list.

Explore the GDPR & Data Protection Course →
Mark McShane
Mark McShane
Health & Safety Training Specialist, Online CPD Academy

Mark writes about data protection, GDPR compliance and accredited online training for GDPR & Data Protection Course, part of Online CPD Academy.