What does a data licence actually cover?
A data licence is not a sale. When you buy a marketing list in the UK, you are paying for the right to use those records under defined conditions. Ownership of the underlying data stays with the supplier. This distinction matters because it governs everything from how long you can keep the file to whether you can pass it to a third-party agency running your campaign on your behalf.
Every licence has the same skeleton: permitted use, permitted channels, use period, territory, confidentiality obligations, deletion on expiry, a quality guarantee, warranty on lawful basis, and liability allocation. The specific wording in each of those sections is where buyers get caught out. A licence that looks straightforward at first glance can contain a clause restricting you to a single email send, or a warranty so narrow it offers no real protection.
Before signing anything, read the full licence, not just the order form. The order form states the price, the volume, and the targeting spec. The licence terms (often a separate document or the supplier's standard terms and conditions) are where the legal substance lives.
The licence-terms glossary: key clauses decoded
The table below covers every material term you should expect to see in a UK data licence, what each clause means in plain language, and the minimum standard you should insist on.
| Term | What it means | Minimum standard to insist on |
|---|---|---|
| Use period | The window during which you may use the records. Single-use means one campaign send. Multi-touch means repeated contacts within a defined period (commonly 30, 60, or 90 days). Perpetual means no expiry. | Insist the use period is stated explicitly in days, not vague phrases like "for the purpose of the campaign". |
| Permitted channels | The contact channels covered. Email-only licences prohibit telephone outreach to the same records; multi-channel licences specify each channel separately. | Match channels to your actual campaign plan before signing. Paying for multi-channel when you only need email wastes budget; using channels not covered is a licence breach. |
| Territory | The geographic scope. UK data licences almost always restrict use to UK-based campaigns targeting UK recipients. | Confirm "UK" means Great Britain and Northern Ireland. If you need Republic of Ireland records, that requires a separate agreement and a separate legal assessment under Irish data protection law. |
| Permitted users | Who within your organisation (or which third parties) may handle the data. Some licences prohibit passing the file to agencies or outsourced partners. | Negotiate an express clause permitting data processing by named third-party agencies acting on your behalf as data processors, with a requirement that they sign a data processing agreement. |
| Warranty on lawful basis | A contractual promise by the supplier that the data was compiled under a lawful basis recognised by UK GDPR, for example legitimate interests for B2B prospecting or explicit consent for consumer email marketing. | Require the supplier to state the specific lawful basis in writing. "Compiled in accordance with applicable data protection legislation" is too vague; push for "Article 6(1)(f) legitimate interests" or "Article 6(1)(a) consent plus PECR consent" as applicable. |
| Replacement guarantee | An obligation on the supplier to replace records that bounce, are unreachable, or fail verification above a stated threshold, typically 5–10% of the supplied volume. | Confirm the guarantee period (30–60 days from delivery is standard) and what it covers: hard email bounces only, or also dead telephone numbers and undeliverable postal addresses. |
| Deletion obligations | A requirement to delete all supplied records, including CRM copies and any data derived from the supplied file, within a specified period after the licence expires or following a written request from the supplier. | Check the deletion window (30 days post-expiry is reasonable) and whether the clause requires written confirmation of deletion. Keep a record of the deletion date in case of audit. |
| Confidentiality | An obligation not to share, resell, or sub-licence the data to any party other than those explicitly permitted. | Standard. Breaching this is the fastest route to legal action from a supplier. |
| Liability cap | A ceiling on the supplier's financial exposure if the data proves non-compliant or the warranty is breached. Commonly capped at the total licence fee paid. | For high-volume or regulated campaigns (financial services, healthcare, legal), negotiate a higher cap or a specific indemnity clause covering ICO enforcement costs. |
| Audit rights | A clause permitting the supplier to audit your use of the data to confirm compliance with the licence terms. Less common in standard licences but not unusual for larger volumes. | If present, ensure the audit right is limited to reasonable notice (five business days minimum) and that it covers documented processes rather than raw system access. |
How does the use period affect campaign planning?
The use period is the clause buyers overlook most often, usually because the sales process focuses on volume and targeting rather than contract terms. A Manchester-based SaaS firm that buys a 5,000-record B2B list under a single-use licence, uploads it to HubSpot, runs one email sequence, and then leaves the contacts in the CRM has almost certainly breached the licence by the time the second automated follow-up fires.
Single-use licences make economic sense for one-off direct mail drops or a single cold email campaign where you have no intention of re-contacting. They fall apart for any multi-touch outreach model. If your sales cadence runs over three to six weeks with five to eight touchpoints, you need a multi-touch licence that explicitly covers the full cadence duration. See our guide to B2B multi-touch cadence planning for how to structure the campaign within the licence window.
Perpetual licences are available from some suppliers, particularly for CRM enrichment use cases where the buyer wants to append data to existing records and retain the appended fields indefinitely. They cost more upfront, but if you are building a house list, the maths usually favours perpetual over repeated annual refreshes under time-limited terms.
What counts as "one use"?
The definition of a "use" is rarely spelled out in sufficient detail. In our experience, the ICO and courts would look at the substance, not the label: if you contacted 5,000 people from the same file in three separate emails over two weeks, that is functionally one campaign. If you contacted them in January, deleted the file, then re-purchased in October for a second campaign, that is two separate uses. The grey zone is retargeting the same file six months later without re-purchasing, which most suppliers would consider a breach of a single-use term.
What do warranty clauses actually protect you against?
Under UK GDPR, the data buyer is an independent controller. Even if a supplier provides non-compliant records, the buyer can still face enforcement by the Information Commissioner's Office (ICO) for using them. A warranty clause does not remove that regulatory exposure. What it does is create a contractual route to claim against the supplier if the warranty proves false.
A well-drafted warranty on lawful basis should state: the specific Article 6 lawful basis used; that suppression against the Telephone Preference Service (TPS) has been applied where relevant; and the date of last suppression wash. For consumer email files, the warranty should also confirm compliance with the Privacy and Electronic Communications Regulations (PECR) and specify the consent mechanism used to source the records.
The practical test: ask the supplier to show you a sample consent audit trail for five records in any consumer email file before you sign. Any supplier confident in their compliance will produce it without hesitation. Reluctance to do so is a warning signal.
Liability cap: the clause buyers underestimate
Most standard data licences cap the supplier's liability at the total value of the purchase order. If you pay £800 for a list and the ICO later issues a £50,000 fine because the data was not lawfully sourced, the supplier's contractual exposure is £800. For high-volume campaigns in regulated sectors, negotiate an express indemnity covering regulatory investigation costs before signing.
Deletion obligations: what you actually have to do
Deletion clauses generate more post-purchase disputes than any other term, because buyers frequently fail to account for where data ends up. A file delivered as a CSV gets imported into the CRM, synced to an email platform, passed to a calling agency, and referenced in a campaign reporting spreadsheet. The deletion obligation covers all of those copies.
Standard deletion obligations in UK data licences require:
- Deletion of the original delivered file from all local and cloud storage.
- Removal of records from any CRM, marketing automation platform, or dialler system the file was uploaded to.
- Deletion of any derivative data, such as segmentation tags or engagement scores, created from the supplied records.
- Written confirmation of deletion sent to the supplier within the stated window, commonly 30 days.
If you use a third-party agency to run the campaign, confirm that their deletion obligations are mirrored in your data processing agreement with them. A licence breach by your agency is your breach under the main contract.
What about records you have already engaged with?
This is where it gets nuanced. If a contact from a bought list has replied to you, requested a call, or otherwise initiated a relationship, you may have an independent lawful basis (legitimate interests or contract performance) to continue engaging with them under your own processing, separate from the original licence. You should document that basis clearly at the point of engagement, before the licence expires, so the continued relationship does not depend on the supplier's data rights. See our guide on legitimate interests for B2B data in the UK for how to construct that assessment.
What to negotiate before signing
Most data suppliers offer standard terms that protect the supplier more than the buyer. This is normal; it is also negotiable. The four clauses worth pushing back on are listed below, in order of practical importance.
1. The warranty on lawful basis. Push for the lawful basis to be named explicitly (not just "applicable legislation") and for the warranty to survive termination of the licence for at least 12 months. If the ICO investigates a campaign six months after the licence ends, you need the warranty still in force.
2. The replacement guarantee threshold and scope. Standard guarantees cover hard bounces at 5–10%. Negotiate to include dead telephone numbers and Royal Mail return-to-sender postal rates. Also confirm the replacement is like-for-like: the same targeting spec, not substitute records from a different segment.
3. The liability cap. For regulated-sector campaigns (financial services under FCA oversight, healthcare, legal services), the purchase price cap is inadequate. A realistic negotiation target is a cap of three times the licence fee, plus an express indemnity for ICO enforcement costs arising from the supplier's breach of their own warranty.
4. Sub-licensing to agencies. If you use an outsourced agency, add a named-agency carve-out to the permitted-users clause. The agency must operate under a signed data processing agreement with you, and they take on no independent rights to the data. This structure is consistent with the ICO's guidance on controller-processor relationships.
One-time versus subscription data arrangements alter the negotiating dynamic considerably. Under a subscription model, the replacement guarantee and deletion obligations work differently. Our forthcoming guide on one-time versus subscription data covers that comparison in full. For an overview of how to assess UK data providers before you reach the contract stage, see how to choose a B2B data provider in the UK.
Common licence gotchas to watch for
The following five clauses appear regularly in standard UK data licence templates and catch buyers off guard.
Automatic renewal. Some subscription data agreements include an auto-renewal clause that locks you in for another 12 months unless you give written notice 30–60 days before the renewal date. Check the contract end date and diary the cancellation window on the day you sign.
Vague channel definitions. "Email" in a licence might or might not include LinkedIn messages sent via a sales automation tool. If your campaign uses any non-standard channel, get it explicitly named in the permitted-channels clause rather than assuming it falls under a broad category.
Suppression obligations sitting with the buyer. Some suppliers deliver a raw file and place the TPS suppression obligation entirely on the buyer, with no warranty that the file has already been washed. This is legally permissible but shifts the compliance burden. Confirm before delivery whether the file has been suppressed and, if not, factor the cost and time of a TPS and Mailing Preference Service (MPS) wash into your campaign timeline.
Indemnity that runs both ways. Occasionally a licence includes a mutual indemnity clause, meaning you indemnify the supplier against claims arising from how you use the data. This is standard for consumer files where misuse could expose the supplier to a PECR complaint. Read it carefully: a poorly drafted mutual indemnity can expose you to costs that bear no relation to the purchase price.
No deletion confirmation required. Some licences simply require deletion on expiry without requiring written confirmation. Documenting deletion anyway, even when not contractually required, is good practice. The ICO's accountability principle under UK GDPR Article 5(2) requires you to be able to demonstrate compliance with your retention obligations, and a timestamped deletion record serves that purpose.