Seven Years of UK GDPR: Why the Data Broker Market Has Never Been Bigger

UK Compliance & Regulation

Seven Years of UK GDPR: Why the Data Broker Market Has Never Been Bigger

Here is a simple question. If a regulator investigated an entire industry sector, found widespread and systemic data protection failings, and issued an enforcement notice against the largest company, what would you expect to happen next?

Most people would answer: the company complies, the market takes note, behaviour changes, and the regulator follows up to confirm the changes hold.

Here is what actually happened in the UK data broker market.

The ICO’s 2020 Investigation: The Finding

In October 2020, the ICO published the results of a two-year investigation into data protection compliance in the direct marketing data broking sector. It examined three credit reference agencies that also operate as data brokers: Experian, Equifax, and TransUnion.

The finding was unambiguous. The ICO described “widespread and systemic data protection failings across the sector.” Between the three companies, the data of almost every adult in the UK was being screened, traded, profiled, enriched, or enhanced to provide direct marketing services, in ways most individuals knew nothing about.

Equifax and TransUnion withdrew non-compliant services and avoided further action. Experian issued a formal challenge.

The Enforcement Action: What Followed

The ICO issued an enforcement notice against Experian in October 2020, requiring fundamental changes to how it handled personal data in its offline direct marketing services.

Experian appealed to the First-tier Tribunal (Information Rights).

On 20 February 2023, the First-tier Tribunal ruled substantially in Experian’s favour. It rejected the ICO’s position on transparency, fairness, and lawful basis for most of the challenged processing. It replaced the original enforcement notice with a narrower substitute notice requiring Experian to provide Article 14 privacy notices to a specific cohort of 5.3 million individuals whose data came from certain open sources, while finding it would be disproportionate to require that notification to happen immediately.

The ICO appealed to the Upper Tribunal.

On 23 April 2024, the Upper Tribunal dismissed the ICO’s appeal on all five grounds in Information Commissioner v Experian Ltd [2024] UKUT 105 (AAC).

In May 2024, the ICO confirmed it would not pursue a further appeal to the Court of Appeal.

No monetary penalty was imposed on Experian at any stage of this process.

What the Market Concluded

The signal this outcome sent to the data broker industry is not subtle.

A seven-year enforcement process, from the initial Privacy International complaint in 2018 through to the Upper Tribunal dismissal in 2024, resulted in no monetary penalty and no final ruling that the processing was unlawful at the scale the ICO had alleged. The substitute enforcement notice required notification to a specific cohort, which the tribunal itself found it would be disproportionate to require immediately.

An industry watching that outcome would conclude that UK GDPR enforcement against commercial data brokers carries limited financial risk, that the ICO’s enforcement notices can be successfully challenged, and that the legal basis of legitimate interests is more defensible than the ICO had suggested.

That is not a conspiracy. That is what a rational industry does with available information.

The Comparative Record: What EU Regulators Did

While the UK enforcement process was unfolding, EU regulators took a different approach to the broader data broker and adtech ecosystem.

France’s CNIL fined Criteo €40 million in June 2023, following complaints filed by Privacy International and noyb in 2018 and investigations beginning in 2020. The violations related to consent failures in Criteo’s adtech and data processing operations. Criteo appealed. In March 2026, France’s Council of State upheld the fine.

The Dutch Authority for Personal Data fined Clearview AI €30.5 million in 2024, with an additional daily penalty of €5.1 million for continued non-compliance. Clearview AI’s facial recognition database was found to have been built without lawful basis.

Spain’s AEPD fined Informa D&B €1.8 million in 2025 for data broker processing that lacked adequate transparency.

The ICO’s maximum available penalty for UK GDPR breaches is £17.5 million or 4% of global annual turnover, whichever is higher. The legal tools exist. The enforcement appetite has differed.

Rights That Depend on Individual Labour

The background to all of this is that UK adults, including directors, have legal rights under UK GDPR to access, correct, and erase their personal data held by brokers.

The practical reality of exercising those rights is that an individual must first identify which brokers hold their data, then contact each one, provide identity evidence, make the request, wait up to one month for a response, challenge any refusal, and repeat the process when data reappears from refreshed upstream sources.

One of the ICO’s core findings in 2020 was that most individuals did not know these companies existed, let alone that they held their data. That transparency failure was central to the enforcement action against Experian. The enforcement action that the Upper Tribunal then found had not fully established on all grounds the ICO had advanced.

The individual remedy, in the absence of meaningful market-level enforcement, is real but fragmented. Rights that require significant personal labour to exercise systematically benefit those with time, confidence, and persistence. That is a distributional problem the law was supposed to address.

What the DUAA Changed and Did Not Change

The Data (Use and Access) Act 2025, in force from 5 February 2026, made several changes relevant to this picture.

It clarified in statute that direct marketing can constitute a legitimate interest. That is a statutory endorsement of a position the data broker industry has long relied on. A balancing test still applies, but the statutory footing is now clearer.

It introduced mandatory internal complaints handling from 19 June 2026, requiring organisations to acknowledge data protection complaints within 30 days and respond without undue delay.

It restructured the ICO as the Information Commission with enhanced powers including binding assessment notices and strengthened investigatory tools under PECR.

The DUAA does not automatically change the enforcement posture. Enhanced powers are only meaningful if they are used. The question of whether the Information Commission applies its new tools differently to the data broker sector remains open. The answer will only come from enforcement action.

Why This Matters for SMB Directors

The reason this enforcement history matters for UK SMB directors is straightforward.

The commercial data broker market processes personal information about every UK adult, including the directors of every small business in the country. That processing contributes to the attacker reconnaissance picture covered in episodes one and two of this series. The home addresses, household data, financial indicators, and marketing segments held by brokers enrich the publicly available Companies House and LinkedIn data into a usable fraud and social engineering resource.

The regulatory framework was designed to give individuals control over that processing. The enforcement record suggests that control has been difficult to exercise at scale through the regulator. Individual rights remain the practical tool.

That is the honest position. It should be stated clearly, not buried in compliance language.

How to Turn This Into a Competitive Advantage

Understanding the enforcement landscape is specialist knowledge that most advisers and MSPs do not have. Being able to brief a client on the actual state of data broker regulation, rather than a generic summary of GDPR rights, is a differentiated capability.

For business owners, the enforcement gap means you cannot rely on regulatory action to protect your directors’ personal data from commercial broker processing. Active individual rights management, subject access requests, erasure requests, documentation, and follow-up, is the practical posture until the regulatory environment changes.

How to Sell This to Your Board

Two board-level points.

The regulatory environment has not provided adequate protection against commercial data broker processing of director personal data. That is a documented position supported by the Experian case outcome. Your board should understand that the business cannot wait for regulatory improvement before reducing director exposure actively.

The ICO’s Information Commission has enhanced powers under the DUAA. If those powers are used to strengthen data broker enforcement, the landscape may improve. Monitoring ICO enforcement action in this area and adjusting your governance approach accordingly is prudent. It is not yet a reason to relax individual rights management.

What to Do This Week

  1. Read the ICO’s guidance on the data broking sector to understand the current regulatory position.
  2. Submit subject access requests to the major UK-operating brokers whose names appear in search results for your directors.
  3. Track responses and document any that miss the one-month deadline.
  4. Report non-compliant responses to the ICO. Individual complaints that are documented and aggregated become policy evidence.
  5. Review the DUAA’s mandatory complaints procedure requirement, coming into force 19 June 2026, and ensure your own organisation is ready to comply.
SourceArticle
Privacy InternationalUK regulator takes enforcement action against data brokers
Privacy InternationalQ&A on UK regulator’s action on data brokers
Privacy InternationalQ&A on €40m CNIL fine against Criteo
ICOGuidance for the data broking sector
noybConseil d’Etat upholds Criteo’s €40m GDPR fine
ICOData Use and Access Act 2025: what it means for organisations
GOV.UKData Protection Act 2018

Filed under

  • smb-security
  • uk-business
  • compliance-failure
  • data-protection
  • business-risk
  • executive-security
  • public-sector-security