Hello, Mauven Here: The UK Data Broker Market Just Got a Legal Upgrade It Did Not Deserve
Hello, Mauven here.
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. Its main data protection provisions came into force on 5 February 2026. Most of the commentary focused on cookie consent changes, automated decision-making reforms, and the new mandatory complaints procedure for data subjects.
I want to focus on something that received less attention and has direct implications for the subject of this week’s podcast series.
What the DUAA Changed for Data Brokers
The DUAA amended, but did not replace, the UK GDPR, the Data Protection Act 2018, and PECR. Among its provisions, it clarifies in statute that direct marketing can constitute a legitimate interest for the purpose of data processing under Article 6.
It also introduces a new lawful ground called recognised legitimate interests, covering crime prevention, safeguarding, national security, emergency response, and assisting bodies performing public tasks. These recognised legitimate interests do not require a balancing test. General legitimate interests, including direct marketing, still do.
The distinction matters. The data broker industry’s primary legal basis for processing personal data about UK adults is legitimate interests. The DUAA has now given that claim a statutory endorsement that previously existed only in regulatory guidance and case law.
The Experian Decision and What Followed
In October 2020, the ICO issued an enforcement notice against Experian, finding widespread and systemic data protection failings across the credit reference and marketing data sector. The ICO’s investigation found that between Experian, Equifax, and TransUnion, the data of almost every adult in the UK was, in some way, screened, traded, profiled, enriched, or enhanced to provide direct marketing services, in ways most individuals knew nothing about.
Equifax and TransUnion withdrew non-compliant services and avoided further action. Experian appealed.
On 20 February 2023, the First-tier Tribunal ruled substantially in Experian’s favour. On 23 April 2024, the Upper Tribunal dismissed the ICO’s appeal on all five grounds. In May 2024, the ICO confirmed it would not pursue a further appeal.
The practical consequence: the most substantial enforcement action the ICO took against a UK data broker did not result in a monetary penalty and did not result in a final ruling that the processing was unlawful.
The Comparative Enforcement Picture
The period since UK GDPR came into force in 2018 provides a useful comparison.
In the same period that the UK has not imposed a monetary penalty on a UK data broker, France’s CNIL fined Criteo €40 million in 2023 for consent and transparency failures in its data broker and advertising operations. The Dutch Authority for Personal Data fined Clearview AI €30.5 million in 2024, with an additional daily non-compliance penalty of €5.1 million. Spain’s AEPD fined Informa D&B €1.8 million in 2025.
The ICO’s enforcement posture, particularly post-Experian, has leaned toward enforcement notices and reprimands rather than monetary penalties for the data broker sector. The DUAA restructures the ICO as the Information Commission and gives it enhanced powers. Whether those powers are applied differently to the data broker sector remains to be seen.
What This Means for UK Directors
The people most directly affected by UK data broker activity are private individuals, including small business directors whose personal data sits at the intersection of public company records and commercial data products.
A director who appears on Companies House, on the open electoral register, and whose professional activity is visible on LinkedIn is a structured profile waiting to be assembled. The broker market provides a commercial service that does precisely that assembly.
The DUAA’s changes do not make that processing automatically lawful. The balancing test still applies for general marketing purposes. But the statutory endorsement of direct marketing as a valid purpose strengthens the industry’s position in any future enforcement conversation.
The individual’s remedies remain: subject access requests, erasure requests, objection rights. The systemic remedy, meaningful enforcement that changes market behaviour, has not materialised.
What SMBs Should Take From This
The DUAA is not a reason to despair. Individual rights still exist and are still worth exercising. But it is a reason to be clear-eyed about what the regulatory framework currently offers UK directors whose personal data is being commercially processed.
The ICO is restructured with enhanced powers. The DUAA requires mandatory internal complaints procedures from 19 June 2026. The enforcement powers under PECR have been aligned with GDPR-level penalties. These are genuine changes.
They are also untested. The market has been watching the Experian case since 2020. It has drawn its conclusions about UK enforcement appetite.
How to Turn This Into a Competitive Advantage
For business advisers and MSPs, the DUAA’s new mandatory complaints procedure requirement, coming into force 19 June 2026, creates a client conversation opportunity. Organisations that have not implemented formal data subject complaint handling processes need to do so. That is a compliance gap with a fixed deadline.
For business owners, understanding the regulatory landscape helps set realistic expectations. Individual action on broker exposure, fixing Companies House records, opting out of the open electoral register, submitting erasure requests, is what is available now. Waiting for the regulator to fix the market is a longer timeline than most directors should accept.
How to Sell This to Your Board
Two arguments for board-level attention on this topic.
The legal framework has just changed in ways that affect how long brokers can hold your personal data and on what legal basis. Directors who have never reviewed their own data broker exposure now have a concrete regulatory context for doing so. This is not theoretical concern. It is the law changing under their feet.
The enforcement landscape, while improving in some respects, has historically not protected UK directors from commercial data processing they did not know was happening. Individual remedies are the practical tool available. They should be exercised, documented, and reviewed at board level as part of director risk governance.
What to Do This Week
- Read the ICO’s guidance on the DUAA changes relevant to individual rights. Understand what changed on 5 February 2026.
- Submit subject access requests to the major UK-operating brokers. Document what data they hold, the lawful basis claimed, and the source.
- Follow up with erasure requests where appropriate and track the responses.
- Note the mandatory complaints procedure requirement coming into force 19 June 2026 and ensure your own business is ready.
- If a broker refuses or ignores a request, report it to the ICO. The Commission has enhanced investigatory powers under the DUAA.