Technology

Data Brokers: Who Sells Your Personal Information?

Understand data brokers in the UK: who sells personal information, where it comes from, and the 5 privacy checks readers need before clicking consent.

Data brokers are easy to ignore because you rarely deal with them directly. You notice the outcome instead: a targeted advert, a marketing email, a profile that seems to know more than you expected. The useful skill is understanding how ordinary data becomes a traded asset, and what you can realistically do about it.

The Short Version

Key Takeaways

  • Data brokers collect, combine or supply personal information for uses such as marketing, profiling, verification and audience targeting.
  • The data may come from forms, public records, surveys, competitions, loyalty schemes, websites, apps or other companies.
  • UK data protection law does not ban data broking, but it does require fairness, transparency, a lawful basis and respect for your rights.
  • Your strongest practical right is the right to object to direct marketing, which organisations cannot refuse.
  • The hard part is visibility: you often do not know which firms have your details until they contact you or appear in a privacy notice.

What A Data Broker Actually Does

A data broker deals in information about people. It may collect data itself, buy it from others, match it with records, sort people into categories, or supply an audience segment to another organisation.

That sounds abstract, so think about the practical version. A company may want to reach people likely to move house, buy a car, donate to a charity, own a pet, have a particular income band, live in a certain area, or respond to a specific kind of advert. A data broker may help by supplying contact details, adding missing information, or creating a target group.

Not all data broking is marketing. Some work supports fraud prevention, identity checks, address validation or credit reference data. The same basic idea sits underneath: information collected in one context can become useful in another.

Where The Information Comes From

There is rarely one single source. A profile can be built from many small pieces: a competition entry, an online quote form, a shop account, a warranty registration, an open version of the electoral register, Companies House data, a public website, a survey, app activity, a loyalty programme, or a previous marketing list.

The ICO’s direct marketing guidance makes a simple point about publicly available information: public does not mean free for any use. If an organisation collects personal information from public sources for direct marketing, it still has to consider whether the use is fair and lawful, and whether the person would reasonably expect it.

This is why the same email address can feel as if it has travelled. You may have given it to one company for a narrow reason, then later receive a message from another organisation you do not recognise.

The UK Rules In Plain Terms

The UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations all matter here. The Data (Use and Access) Act 2025 has also amended parts of the UK data framework, and some ICO guidance is still being updated. The central principles remain fairness, transparency, lawful basis, purpose limitation, data minimisation and individual rights.

The ICO’s guidance for organisations using data broker marketing services says both the broker and the client have responsibilities. A company cannot simply buy a list and assume the broker has made everything compliant. If it buys or rents contact details for direct marketing, it must be able to justify its own use of the data, give people privacy information and respect the rules that apply to the marketing channel.

If a company receives your information from somewhere else, the ICO says it generally needs to tell you the categories of information it holds and the source of that information. A clean privacy notice should not hide data matching, profiling or third-party enrichment in vague language.

Why Consent Is Not The Whole Story

People often assume the question is simply: did I consent? Sometimes that is the right question, especially for certain electronic marketing under PECR. But data protection law has several lawful bases. An organisation might rely on legitimate interests for some activity, while still needing to pass fairness and transparency tests.

That does not mean an organisation can do whatever it likes by saying “legitimate interests”. It still has to balance its interests against your rights and expectations. If the use is intrusive, surprising or poorly explained, the argument becomes weaker.

Your Rights Against Marketing Data Use

Your clearest right is the right to object to direct marketing. The ICO says this right is stronger than objections to many other uses of data. If you object to an organisation using your personal information for direct marketing, it must stop using it for that purpose.

That may not erase every record about you. The organisation may keep a suppression record, which is just enough information to make sure it does not add you back to a future marketing list. That can feel counterintuitive, but it is often the practical way to make an opt-out stick.

You can also use a subject access request to ask what personal information an organisation holds about you. Where it did not collect the data directly from you, the response may include available information about the source.

The Visibility Problem

The biggest frustration is that you cannot easily object to a company you do not know exists. Many data flows sit behind privacy notices, ad systems, list suppliers and analytics partners. You may only see the surface: a message, a call or an advert.

The Competition and Markets Authority’s work on online platforms and digital advertising highlighted a wider problem: people often struggle to control how data is collected and used in digital advertising markets. That does not mean every data broker is doing something unlawful. It does mean the market is difficult for ordinary users to inspect.

This is also why privacy settings help but do not solve everything. Tightening your phone settings, rejecting unnecessary cookies and using separate email addresses can reduce future leakage. They cannot always unwind data that has already moved through older forms, public records or historic lists. For a practical companion, our guide to smartphone settings worth changing on day one covers device-level habits that reduce needless sharing.

A Worked Example

Imagine you buy a piece of home gym equipment from a small online retailer. At checkout, you create an account, enter your delivery address, tick a marketing preference without reading it closely, and later complete a short survey for a discount code.

The retailer keeps your order details. Its email platform stores your marketing preference. Its analytics tools record which pages you visited. A list supplier may later help the retailer group customers by likely interests.

Three months later, you receive a fitness finance offer from a company you do not recognise. The useful response is not panic. Look for the sender’s privacy notice, the source of your details and the unsubscribe route. If the message is direct marketing and you do not want it, object in writing and keep a copy.

What This Means For You

You cannot fully remove yourself from the data economy, but you can reduce the amount of unnecessary information that enters it. Use a separate email address for shopping, avoid optional surveys unless the trade-off is worth it, untick marketing boxes, and be cautious with competitions or quote forms that ask for more than they need.

When marketing arrives from a company you do not recognise, do not just delete it if you want the trail to stop. Use the unsubscribe link if the message looks legitimate, then consider a direct objection to marketing use. If the source is unclear, ask where they obtained your data.

For higher-risk accounts, treat privacy as part of account security. Our explainer on Online Safety Act age checks covers the same core question from another angle: who gets the data, what is shared, and how long it is kept?

In Plain English

Data brokers help organisations find, enrich or target information about people. You may never deal with the broker directly, but your details can still pass through that market.

UK rules give you rights, especially when your data is used for direct marketing. The right to object is the one most ordinary users should remember.

Share less by default. Read privacy prompts when the data is sensitive. Ask where a company got your details when a message feels unexpected.

Related Reads