What has the ICO published on data brokers and list buying?
The ICO has not issued a single dedicated code of practice solely on list buying, but the topic runs through several key publications. Its direct marketing guidance addresses the obligations that apply when personal data changes hands between a list provider and a marketer. The ICO's broader guidance on the legitimate interests lawful basis is equally relevant for B2B buyers. There is also the 2020 Experian enforcement case, which, while not a code, is the clearest statement of what the ICO expects from organisations that hold and sell personal data about millions of UK individuals.
The overarching principle in all of this material is accountability. Under UK GDPR, if you buy a list and use it for marketing, you become an independent data controller for that processing. The supplier's compliance does not transfer to you. Your organisation must have its own lawful basis, its own data retention policy, and its own records of processing activity.
The ICO is also clear that "bought a list" is not a defence when something goes wrong. A complaint from someone on a purchased list will be directed at the organisation that sent the marketing, not the supplier. Enforcement, if it follows, will focus on whether the buyer had a valid lawful basis and met its transparency obligations.
What is the Article 14 obligation, and how does it apply to purchased lists?
Article 14 of UK GDPR covers the right to be informed where data has been collected from a source other than the individual directly. When you buy a marketing list, every person on it falls under Article 14. The requirement is to provide them with certain information: the identity of your organisation, the purposes and lawful basis for processing, any recipients or categories of recipients, how long you will keep the data, and crucially, the source.
Timing matters. Article 14(3) requires that the privacy notice is delivered within one month of obtaining the data, or at the latest by the time of first contact with the individual. In practice this means the first communication you send to a purchased list must include, or link to, a privacy notice that names the source of the data.
The ICO accepts that this notice can be delivered by email, direct mail, or other first-contact channel. A short statement in the email footer saying "We obtained your contact details from [Supplier Name]. To find out more about how we use your data, please visit [link]" satisfies the basic requirement, provided the linked privacy notice contains the full detail. What the ICO does not accept is silence: sending a marketing email to a purchased list with no indication of data provenance is a straightforward breach of Article 14.
Article 14 exemption: a narrow one
There is an exemption if providing the notice would involve disproportionate effort. The ICO interprets this narrowly. A postal campaign to 50,000 records where adding a source line would double the print cost might qualify for partial relief, but the bar is high. Most electronic marketing has no grounds for the exemption at all.
What due diligence should buyers conduct on a data supplier?
The ICO's position is that buyers cannot outsource their accountability. Taking reasonable steps to verify a supplier's compliance is part of that accountability. The word "reasonable" does some heavy lifting here; the ICO has not published a precise checklist, but its guidance and enforcement decisions point clearly to the following areas.
Questions to ask before purchasing a list
A reputable supplier will answer all of the following without difficulty. Evasion or generic assurances without supporting documentation are warning signs.
- What is the lawful basis for the original collection of this data? For B2B data compiled from publicly available sources, the answer should reference legitimate interests. For B2C consumer data, the answer should be consent, with details of the consent mechanism.
- What is the original source? Public corporate directories and Companies House filings for B2B; consented lifestyle surveys or prize-draw entries for B2C consumer files. Ask the supplier to be specific.
- When was the data last verified? A file where no contact has been verified for 18 months carries substantially higher bounce and complaint risk than one refreshed in the past six months.
- Has the file been suppressed against the Telephone Preference Service (TPS) and the Mailing Preference Service (MPS)? For telemarketing and direct mail respectively, suppression against these services is not optional.
- Can you provide a data processing agreement (DPA)? Under Article 28 of UK GDPR, this is required where a supplier processes data on your behalf. In a list-sale scenario the relationship is typically controller-to-controller, but a DPA or equivalent contractual terms still set out responsibilities clearly.
Contractual warranties: useful but not sufficient on their own
A standard clause in a data supply contract will state something like "the Supplier warrants that the data has been compiled in accordance with applicable data protection legislation." This gives the buyer a contractual remedy if the warranty turns out to be false, but it does not satisfy the ICO's expectation that buyers take active steps. A warranty unsupported by any documentary evidence gives a buyer very little practical protection in an enforcement context.
The ICO has observed in its direct marketing guidance that simply having a contract is not enough. It expects buyers to go further: reviewing the supplier's privacy notice, asking for evidence of the consent or legitimate-interests basis, and, where the purchase is large or the data is sensitive, conducting a more formal assessment of the supplier's data practices.
The Experian enforcement case: what it tells buyers
In 2020, the ICO issued an enforcement notice against Experian's marketing services division, which operated what was at the time one of the largest consumer profiling and data brokerage operations in the UK. The ICO found that Experian had been processing personal data about millions of UK adults for commercial profiling and direct marketing purposes without those individuals having been given meaningful information about it.
The core finding was a failure of transparency. Individuals whose data appeared in Experian's marketing file had no reasonable expectation that their information was being used in this way, and Experian had not taken adequate steps to provide them with the Article 13 and Article 14 notices that UK GDPR requires. The ICO required Experian to make substantial changes to how it handled the data: either obtaining informed consent from individuals or, where that was not possible, ceasing to use the data for marketing purposes.
For buyers, the lesson from the Experian case is not about Experian specifically. It is about what regulators look for when assessing data broker activity: transparency, proportionality, and genuine respect for individuals' right to know how their data is being used. A buyer who purchases data from a supplier and asks no questions is, in the ICO's framework, taking on risk they have not assessed.
B2B vs B2C: how the rules differ for purchased lists
The lawful basis question is where B2B and B2C list buying diverge most sharply. The table below sets out the key differences buyers need to understand before proceeding.
| Factor | B2B (corporate contacts) | B2C (consumer contacts) |
|---|---|---|
| Typical lawful basis | Legitimate interests, Article 6(1)(f) UK GDPR | Consent, Article 6(1)(a) UK GDPR + PECR consent for electronic channels |
| Buyer's required document | Legitimate Interests Assessment (LIA) | Evidence that underlying consent was valid and specific to the buyer's category |
| Article 14 notice | Required; usually delivered in the first marketing communication | Required; usually in the first email or mailing |
| TPS suppression required? | Yes, for telemarketing | Yes, for telemarketing |
| MPS suppression required? | Not mandated for corporate addresses; best practice for named individuals | Yes, for postal direct mail |
| ICO's primary concern | Proportionality of LIA; relevance of marketing to recipient's role | Validity and specificity of original consent; whether data is still within consent scope |
For B2B buyers working through whether legitimate interests applies to their campaign, our article on legitimate interests and B2B data in the UK covers the three-part LIA process in detail, including the balancing test the ICO expects buyers to complete.
Why B2C consent must be specific, not generic
A common error when buying consumer email data is accepting a supplier's assurance that individuals "opted in to receive marketing." That phrase covers a very wide range of situations, some of which will not cover your specific category. Someone who ticked a box to receive offers from "travel and lifestyle brands" did not consent to receive cold emails from a B2B SaaS vendor, a debt management service, or a financial products reseller. The ICO looks at whether the consent was specific enough to cover the actual processing being carried out, not just whether consent existed in some form.
This is why asking the supplier for the precise wording of the original consent notice is not pedantic: it is the only way to know whether the consent is actually valid for your use case.
What supplier representations actually matter?
Buyers regularly receive brochures describing a list as "fully compliant," "GDPR-verified," or "permission-based." None of these phrases has a defined legal meaning, and the ICO would not treat them as evidence of compliance in an enforcement investigation.
What does carry weight is the ability to point to: (a) the specific lawful basis the supplier used; (b) documentary evidence of that basis (a copy of the consent form, a description of the legitimate-interests assessment the supplier completed); (c) evidence of TPS and MPS suppression runs; and (d) a contractual agreement that allocates responsibility clearly and gives the buyer a remedy if the warranty proves false.
Suppliers who cannot provide (a) and (b) should be treated with caution regardless of how their marketing copy reads. A well-run data supplier has no reason to withhold this information: it is the same information they need to retain for their own accountability records.
ICO spot checks and audit rights
The ICO can and does issue information notices requiring organisations to produce records of their processing activities, including records of where data was sourced. Buyers who have not retained any documentation of supplier due diligence will find themselves unable to demonstrate accountability if a complaint or investigation arises. Keep a summary record of the due diligence you conducted for each list purchase, including the supplier's responses to your key questions.