Third-Party Data and PECR: Why Bought Lists Are the Fastest Route to an ICO Fine

If you look at every PECR fine the ICO has issued since 2022, one pattern stands out: the organisations that got hit hardest were almost always using data they didn't collect themselves. Bought lists. Shared lists. "Partner" data passed between companies under vague consent language. Third-party data is the riskiest thing you can put into your marketing operations — and the documented, repeated cause of the largest fines the ICO issues.

The numbers behind third-party data fines

Take ZMLUK. The ICO found that ZMLUK had sent 67.7 million marketing emails using data acquired from third parties. The fine: £105,000. The core finding was straightforward — ZMLUK could not demonstrate that the people on those lists had consented to receive marketing from ZMLUK specifically. The consent chain was broken, and no amount of contractual assurance from the data supplier could fix that.

ZMLUK is not an outlier. Our analysis of ICO PECR fines from 2024-2025 shows that third-party data cases consistently attract higher fines than first-party consent failures. When you collect data yourself and get the wording wrong, that's a procedural error. When you blast emails to people who have never heard of your company using a bought list, the ICO views that as a more fundamental failure.

Why third-party data fails under PECR

Regulation 22 of PECR is specific about what constitutes valid consent for marketing emails. The person must have notified the sender that they consent. That means consent must be:

• Specific — they agreed to receive marketing from your organisation, not just from some unnamed category of "partners" or "third parties"
• Informed — they knew who you were at the point they gave consent
• Freely given — consent wasn't buried in terms and conditions or bundled with something else
• Demonstrable — you can produce evidence of all of the above

When you buy a list from a data broker or receive leads from a partner, every one of those requirements becomes harder to satisfy. You weren't present when the data was collected. You don't know what the person was told. All you have is a spreadsheet of email addresses and a supplier's assurance that "consent was obtained."

The ICO's guidance on using third-party marketing lists is clear: the fact that a third party claims to have obtained consent does not relieve you of the obligation to verify it. If you send the email, you bear the enforcement risk — not the data supplier.

The consent chain: what it means in practice

The "consent chain" is the trail of evidence connecting a marketing email you send today back to the moment the recipient originally gave their consent. For first-party data, this chain is short: person fills in your form, you record the consent, you send the email. Two links.

For third-party data, the chain gets longer and more fragile. The original collection might have happened on a different website, run by a different company, using consent wording you've never seen. That company may have sold the data to a broker, who sold it to you. Each handoff is a point where the chain can break.

You need to trace the chain all the way back — not to the point where your supplier gave you the data, but to the point where the individual gave their consent. That means you need:

1. The original consent wording — the exact text the person saw when they opted in
2. Proof that your organisation was named (or described clearly enough that the person understood they were consenting to hear from you)
3. The date and method of consent — when they opted in and how
4. Evidence that consent was active — unticked checkboxes, not pre-selected options

If your data supplier cannot provide all four, you do not have a valid consent chain. You have a list of email addresses and a liability.

What the ICO actually checks

When the ICO investigates and discovers third-party data was used, they follow a predictable path: identify the data source, request the contract between sender and supplier, then ask for the actual consent records for the individuals who complained. Not a contractual warranty — the records themselves. Then they contact the data supplier directly.

This is where things fall apart. The consent wording may never have mentioned the sending organisation. The records may not exist. The consent language may have been so vague ("we share data with carefully selected partners") that it doesn't meet PECR's specificity requirement. When the chain doesn't hold, the fine lands on the organisation that pressed send.

How to verify consent provenance before using third-party data

If you're considering buying or receiving marketing data from a third party, here's what due diligence actually looks like under PECR:

Request sample consent evidence before you buy. Ask the supplier to show you the actual consent mechanism — screenshots of forms, the exact wording used. If they can only offer contractual warranties ("we guarantee consent was obtained"), that's a red flag. Warranties don't satisfy the ICO; evidence does.

Check that the consent wording names your organisation. Generic language like "we may share your data with third parties" is not sufficient. The consent must specifically identify your company, or describe your category clearly enough that the subscriber could reasonably have anticipated hearing from you.

Verify the consent is recent and relevant. Consent collected years ago under different wording may no longer be valid. Ask when the data was collected and whether the wording has changed since.

Get the full consent record, not just the list. A CSV of email addresses tells you nothing about consent. You need per-contact records: when each person consented, what they saw, how they opted in. If the supplier can't provide this, the data is not usable under PECR.

Document your due diligence. Keep records of what you checked, when, and what evidence you received. Demonstrating that you took reasonable steps to verify consent is materially different from having no verification process at all.

Our PECR compliance checker includes specific questions about third-party data sources and flags the most common gaps in consent provenance documentation.

The soft opt-in does not apply to third-party data

One misconception worth addressing: the soft opt-in does not rescue third-party data. The soft opt-in requires that the contact's email was collected "in the course of a sale or negotiations for a sale" between you and the customer. If you bought the data from someone else, there is no sale relationship between you and the person on the list. It does not apply.

The bottom line

Third-party data is not inherently unlawful. But using it compliantly requires due diligence that most data transactions don't involve: seeing the actual consent evidence, confirming your organisation was named, verifying the consent is current, and keeping records of everything you checked.

Most organisations that get fined didn't do any of this. They bought a list, loaded it into their ESP, and sent campaigns to people who had no idea who they were.

If your marketing lists include any data you didn't collect yourself, audit those segments first. They're the highest-risk contacts in your database. The PECR compliance checklist covers the full requirements, but third-party data is where enforcement most commonly starts. The safest list is one you built yourself.