GUIDE

Data Brokers in the UK: Your Rights Under UK GDPR and the DUAA 2025

April 2026  ·  11 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

The UK has the strongest individual opt-out right in Europe for direct marketing. It also has the data protection regulator that just lost its flagship data broker case at the Upper Tribunal. And as of 5 February 2026, a new Act — the Data (Use and Access) Act 2025 — has quietly rewritten parts of the UK data protection framework.

If you live in the UK and want to know what brokers hold about you, what rights you can enforce, and what actually happens when you try, this guide is written from the primary sources: ICO press releases, tribunal judgments, and the Act itself.

Who the UK's data brokers are

The Information Commissioner's Office (ICO) supervises UK data brokers. The European Data Protection Board's March 2026 market study groups data brokers into eight types, and the UK has active operators in most of them.

The UK brokers most relevant to individuals break down as follows.

Credit reference and marketing dual-use. Experian, Equifax UK, and TransUnion UK. All three are regulated as credit reference agencies, but each also runs marketing data divisions. The ICO's 2020 investigation found that these divisions were screening, trading, profiling, and enhancing personal data for direct marketing purposes without most individuals' knowledge.

Business data brokers with personal data inside. Dun & Bradstreet UK, Creditsafe. These are ostensibly B2B data providers, but they hold personal data about sole traders, company directors, and decision-makers. Spain's data protection authority fined Informa D&B €1.8 million in January 2025 for processing 1.6 million sole traders' personal data without a valid legal basis — a ruling that directly applies to equivalent UK operators, though no UK enforcement has yet followed.

B2B contact data brokers. Cognism, ZoomInfo UK, Lusha. These sell professional contact data (name, title, company email, mobile) to sales teams. All claim compliance via UK GDPR legitimate interests. None have faced formal ICO enforcement at time of writing.

Identity and location data brokers. GBG Plc (identity verification, KYC), Blis Global (location data from mobile GPS), MiQ Digital (household-level and connected TV audience data). These providers typically claim their outputs are aggregated or anonymised, but the re-identification risk varies.

AdTech marketplaces and data pools. Epsilon, The Trade Desk, MiQ Digital, Quantcast. These operate programmatic or cleanroom models where personal data flows between many parties and individual control is harder to exercise.

The common thread across all of these: you almost certainly appear in several of their datasets without ever having given them your information directly.

The UK GDPR rights that actually apply

UK data protection law is built on three instruments: the UK GDPR, the Data Protection Act 2018, and — as of 2025 — the Data (Use and Access) Act 2025, which amends both.

Three rights matter most when you're dealing with a data broker.

Article 15 — right of access. You can ask any broker in writing to confirm whether it holds your personal data, what data, where it came from, who it's been shared with, and for what purposes. The broker has one calendar month to respond. This is the reconnaissance step — you can't object to processing you don't know exists.

Article 21 — right to object. For direct marketing specifically, this is an absolute right. The broker cannot refuse, cannot claim a compelling legitimate interest, cannot delay beyond one month. The ICO's right-to-object guidance is unambiguous on this point. It is the single strongest consumer-side lever in UK data protection law. For non-marketing processing, the right is not absolute — the broker can continue if it demonstrates compelling legitimate grounds that override your interests — but for marketing, the position is settled.

Article 17 — right to erasure. If the broker has no lawful basis to continue processing (for example, after you've successfully objected), you can demand deletion. In practice, brokers often "suppress" records — flag them to be excluded from future use — rather than delete them. Suppression leaves the underlying record in place, which means re-scraping from public sources can re-populate it within months.

The combined approach that works is a single request citing all three articles: "under Article 15, please provide … under Article 21, I object to all direct marketing processing … under Article 17, please erase any data for which you no longer have a lawful basis." Most brokers respond faster to a combined request than to three separate ones.

There is a reason individual requests work even in a period when regulatory enforcement has stalled. An individual request is procedural: the broker faces a one-calendar-month compliance clock from receipt. The burden is on the broker to respond; failure to respond is itself a breach. A regulator-led enforcement action is evidentiary: the ICO must prove that a privacy notice is not transparent enough, or that a legitimate interests assessment is flawed, to a standard the Tribunal will uphold. These are different mechanics, and — as the Experian case showed — the outcomes can diverge.

The ICO's flagship data broker case — and what the Upper Tribunal said

In October 2020, after a two-year investigation, the ICO issued an enforcement notice against Experian. The regulator found "widespread and systemic data protection failings" across the sector and "significant data protection failures" at Experian, Equifax, and TransUnion. It took no further action against the latter two after they withdrew the non-compliant products, and focused enforcement on Experian.

Experian appealed. The case then took four years to reach a final outcome.

The First-Tier Tribunal ruled on 20 February 2023, substantially in Experian's favour. It rejected the ICO's view that Experian's privacy notice was not transparent, that using credit reference data for direct marketing purposes was unfair, or that Experian had failed to properly assess its lawful basis. The FTT replaced the original enforcement notice with a narrower "Substitute Enforcement Notice" requiring Experian to provide Article 14 privacy notices to a residual cohort of 5.3 million individuals whose data had been obtained from certain open sources — while also finding it would be disproportionate to order that notification to happen now.

The ICO appealed. On 23 April 2024, the Upper Tribunal dismissed the ICO's appeal on all five grounds in Information Commissioner v Experian Ltd [2024] UKUT 105 (AAC). The ICO then confirmed in May 2024 that it would not pursue a further appeal.

Three points about what this ruling does and does not mean.

It does not remove your rights. The case was about Experian's specific privacy notices and specific legitimate interests assessment. The Tribunal found those were adequate for that processing. Your Article 21 absolute right to object to direct marketing was not touched. Article 15 and Article 17 were not touched.

It does signal that the ICO's enforcement posture against data brokers has been judicially constrained. The Tribunal held that legitimate interests can serve as a valid basis for marketing and profiling even where the processing might be "surprising" to some data subjects — a view the ICO had expressly contested. The ICO's October 2025 consultation announcement acknowledged it is rewriting its fining guidance to reflect tribunal case law.

It does not stop the processing that is already happening. This is the point most commentary misses. During the 2020 investigation, Equifax and TransUnion withdrew certain non-compliant products at the ICO's request — but the ICO did not issue an enforcement notice against either, did not require deletion of previously gathered data, and did not require either company to accept that its practices had been in breach. Only the future monetisation of specific products changed. The underlying datasets — the aggregated personal data accumulated over years of screening, enriching, and profiling — were not ordered to be deleted. Processing of your data continues in some form at all three credit reference agencies, and at the wider broker ecosystem, until you personally exercise the rights described above. Nobody removes your data from a broker's systems on your behalf as a consequence of any ICO action.

Why individual enforcement outperforms regulator enforcement here

The distinction matters practically. The ICO's case against Experian turned on two contestable judgements: whether Experian's privacy notice was adequately transparent, and whether its legitimate interests assessment was sound. Both are arguments about notice-and-basis compliance — the kind of evidence-heavy dispute that is slow, expensive, and routinely won by well-resourced regulated entities in the Tribunal system.

An individual exercising Article 21 has none of those problems. The right is absolute for direct marketing. There is no legitimate interests balancing test available to the broker. There is no "was the privacy notice good enough" argument. There is a one-month compliance clock that starts the moment your request is received, and the burden falls entirely on the broker to stop processing and confirm it has done so. Failure to comply is, in itself, a breach — and a breach that is straightforward to evidence in any subsequent complaint.

The practical implication: if you are waiting for the ICO to force data brokers to stop processing your data, you will be waiting a long time. If you send an Article 21 objection with an Article 15 access request and an Article 17 erasure demand, you will usually get a result within a month. Your rights are intact; their judicial enforceability by the regulator is what has narrowed.

What the Data (Use and Access) Act 2025 changed

The DUAA received Royal Assent on 19 June 2025 and amends both UK GDPR and the Data Protection Act 2018. The majority of data protection provisions came into force under Commencement No. 6 on 5 February 2026.

Three changes matter for your dealings with data brokers.

Automated decision-making protections narrowed. Article 22 UK GDPR used to restrict solely automated decisions with legal or similarly significant effects, full stop. The DUAA narrows this to decisions based on special category data (health, biometrics, sex life, political opinion, etc.). For decisions that rely only on non-special-category data — which covers most profiling and scoring by marketing brokers — the prior restrictions are removed. Brokers using AI-driven scoring on name, address, and behavioural data alone now operate under a lighter regime.

"Recognised legitimate interests" inserted. The DUAA lists specific legitimate interests — national security, emergency response, crime detection, safeguarding vulnerable individuals — where no balancing test against your interests is required. None of these map directly to data broker marketing, but the direction of travel is toward a looser legitimate-interests regime.

DSAR burden reduced. Brokers now have more scope to refuse or partially respond to Article 15 requests they consider "vexatious or excessive." The threshold is not a bright line, but practically it means a polite, specific, first-time DSAR is still straightforward; a follow-up or aggressive request may be refused more readily than before.

What the DUAA did not change: your Article 21 absolute right to object to direct marketing, the one-month response clock, or the requirement to provide an Article 14 privacy notice when you hold personal data not obtained from the individual.

Where the ICO still has teeth

The Experian ruling is not the end of UK enforcement. The ICO retains significant power in three areas.

Security failures and data breaches. Equifax UK was fined £500,000 in September 2018 — the maximum under the Data Protection Act 1998 — for failures that allowed the 2017 US breach to expose approximately 15 million UK citizens' data. The ICO found Equifax breached five of the eight data protection principles, including the security principle and the requirement for adequate contractual arrangements for international transfers. Under UK GDPR the higher-tier statutory maximum is now £17.5 million or 4% of total annual worldwide turnover, whichever is greater — reserved for serious infringements including failure to respect data subject rights, unlawful international transfers, and breaches of transparency principles. The ICO has the ceiling; it simply has to meet the evidentiary bar.

Jurisdictional reach. In October 2025, the Upper Tribunal reversed the First-Tier Tribunal's earlier ruling that the ICO had no jurisdiction over Clearview AI. The case returns to the FTT for substantive consideration, but the point of law is settled: scraping UK residents' images for processing that profiles them brings the operator within UK GDPR scope even if the customer base is outside the UK.

PECR enforcement. The ICO's new fining guidance under development is specifically for PECR (Privacy and Electronic Communications Regulations) — unsolicited marketing calls, texts, and emails. Brokers that supply data for illegal calls face enforcement risk under PECR separately from UK GDPR.

Exercising your rights in practice

The practical routes vary by broker type.

Credit reference agencies. Experian operates a Consumer Information Portal with direct opt-out forms. An opt-out adds your contact details to Experian's No Marketing Request file, and the company has seven days to process it; full removal from the marketing database happens at the next monthly rebuild. Equifax and TransUnion operate similar portals, with slightly different workflows. All three will process a written Article 15 / 21 / 17 request by email or post.

Business data brokers. Dun & Bradstreet UK and Creditsafe accept data subject requests via email to their data protection officers. Sole traders and self-employed individuals have particularly strong grounds under Article 21 because the AEPD Informa D&B ruling established that processing sole-trader personal data without explicit legal basis is non-compliant, and that reasoning applies equally in the UK.

B2B contact brokers. Cognism, ZoomInfo UK, and Lusha all publish data subject request processes. They claim legitimate interests as their lawful basis; your Article 21 objection shifts the burden to them to demonstrate compelling legitimate grounds that override your interests. For personal contact data used in outbound sales, this threshold is difficult to meet.

AdTech and location brokers. These are the hardest category. The data pipelines are opaque, suppression is often temporary, and the brokers frequently claim that their outputs are aggregated and therefore outside UK GDPR scope. For location data specifically, the anonymisation claims rarely survive technical scrutiny — but enforcing that requires a complaint to the ICO, not a simple opt-out request.

For the opt-out templates, request language, and per-broker contact details, see our UK and EU data broker opt-out guide.

Exercising these rights one broker at a time, across credit reference agencies, business data brokers, B2B contact lists, and AdTech pipelines, takes weeks of calendar time and disciplined follow-through. The Eraser runs the initial removal campaign across the broker ecosystem and verifies results after 90 days. For clients who want coverage sustained beyond that window — because brokers re-populate from public sources — The Guardian continues the work as an annual retainer.

Talk to an Analyst

UK vs EU divergence — what it means for you

Since the DUAA came into force, the UK and EU regimes have started to diverge. The European Commission renewed the EU-UK adequacy decision on 19 December 2025, extending free data flows until 27 December 2031, but the EDPB raised concerns about the Secretary of State's new powers to amend UK data protection law via secondary regulations without full parliamentary scrutiny.

Practical differences that matter for broker enforcement.

Fining posture. In the same period that the ICO has not imposed a monetary penalty on a UK data broker, France's CNIL fined Criteo €40 million (2023), the Dutch AP fined Clearview AI €30.5 million (2024) with an additional €5.1 million per day non-compliance penalty, and the AEPD fined Informa D&B €1.8 million (2025). Our EU GDPR data broker removal guide covers the EU enforcement landscape in detail. EU DPAs treat systemic data broker non-compliance as a fineable offence; the ICO, post-Experian, is more likely to issue enforcement notices or reprimands.

Legitimate interests. The EU has not introduced "recognised legitimate interests" without a balancing test. In the EU, every legitimate-interests claim still requires a full assessment.

Automated decision-making. EU GDPR Article 22 retains its full scope. UK GDPR Article 22 now applies only to decisions based on special category data.

For UK residents whose data sits in both UK and EU brokers — which is most UK residents — the practical answer is that the strongest rights are often the EU ones, exercised through the EU establishment of the same broker. Experian, for example, operates an EU entity in Ireland; for processing by that entity, EU GDPR and Irish DPC supervision apply.

What professional removal actually achieves

Working alone, a UK resident can realistically reach the top ten credit reference, business data, and B2B contact brokers within a weekend using the rights described above. The deeper the data supply chain goes — into AdTech pipelines, location brokers, data cleanrooms, and the US-based operators whose datasets include UK residents — the harder unassisted removal becomes.

Where professional removal adds value:

  • Identifying the brokers that process your data quietly — operators without consumer-facing relationships that inherit fragments of your identity, payment, or location data through supply-chain licensing rather than direct collection.
  • Issuing combined Article 15 / 21 / 17 requests with audit trails suitable for ICO complaint escalation if a broker refuses or stalls.
  • Tracking suppression-versus-deletion outcomes and re-submitting where records re-populate from public sources — which they routinely do within months.
  • Covering the cross-border dimension: UK residents appear in EU, US, and global broker datasets via family, professional, and travel-related linkages, and the removal mechanics differ by jurisdiction.

None of this removes the need to understand your rights. It shortens the execution time from weeks of calendar effort to a structured removal campaign with documentation — and it extends the reach to brokers you would not otherwise identify.

Frequently asked questions

Can I request a company to delete my data in the UK?

Yes. Article 17 of the UK GDPR gives you the right to request erasure of personal data in defined circumstances, including where the company no longer has a lawful basis to process it. The company has one calendar month to respond and must either delete the data or explain, by reference to a specific GDPR exemption, why it cannot. In practice, a combined request citing Article 15 (access), Article 21 (objection), and Article 17 (erasure) is more effective than an erasure request alone.

How do I force a company to delete my data?

Submit a written request citing Articles 15, 21, and 17 of the UK GDPR, sent to the company's data protection officer or the email address listed in its privacy notice. Keep proof of the date sent. If the company does not respond within one calendar month, or refuses without citing a specific exemption, you can complain to the ICO via ico.org.uk/make-a-complaint. An individual complaint is a different enforcement route from a large systemic case — the ICO is responding to a specific, documented procedural failure (you asked, the broker did not comply) rather than trying to prove a broker's overall business model is unlawful. Individual complaints therefore succeed routinely even in the period following the Experian Tribunal defeat. From 19 June 2026, under the Data (Use and Access) Act 2025, every organisation that processes personal data must operate a formal internal complaints procedure — and complaints must be addressed internally before escalation to the ICO.

Is UK GDPR changing?

Yes. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, and the majority of its data protection provisions came into force on 5 February 2026. The Act does not replace the UK GDPR or the Data Protection Act 2018 — it amends them. Key changes include narrower Article 22 automated decision-making protections, the introduction of "recognised legitimate interests" that do not require a balancing test, and a reduced burden on organisations responding to data subject access requests. Your Article 21 absolute right to object to direct marketing was not changed.

How long can a company hold my data in the UK?

UK GDPR Article 5(1)(e) — the storage limitation principle — requires personal data to be kept "no longer than is necessary" for the purposes for which it is processed. There is no fixed number of years. A company must define its retention period based on the purpose of processing and be able to justify it. Once the purpose is fulfilled, the data should be deleted or anonymised. For data brokers, retention periods are often measured in years rather than months, justified by reference to the accuracy and utility of their marketing and scoring products.

What UK GDPR rights do I have against data brokers?

Three rights matter most: Article 15 (right of access to see what a broker holds about you), Article 21 (absolute right to object to direct marketing), and Article 17 (right to erasure where no lawful basis applies). Brokers have one calendar month to respond. A combined request citing all three articles is the strongest approach.

Can UK data brokers use my data without consent?

Yes, for non-marketing processing, if they rely on legitimate interests and can demonstrate that their interests are not overridden by yours. The Upper Tribunal confirmed in 2024 that legitimate interests can cover marketing and profiling by credit reference agencies. However, your Article 21 right to object to direct marketing specifically is absolute — the broker cannot refuse that objection.

How do I opt out of Experian marketing data?

Use the Experian Consumer Information Portal at experian.co.uk/privacy/consumer-information-portal. Your contact details are added to the No Marketing Request file within seven days, and full removal from the marketing database happens at the next monthly rebuild. This does not stop other brokers — only Experian's own direct marketing data broking.

Is breaking UK GDPR a criminal offence?

Most UK GDPR breaches are civil matters — the ICO issues monetary penalties, enforcement notices, or reprimands rather than pursuing criminal prosecution. However, the Data Protection Act 2018 does create specific criminal offences, including knowingly or recklessly obtaining, disclosing, or procuring personal data without the controller's consent (Section 170), and re-identifying de-identified personal data without consent (Section 171). Prosecutions are rare but have occurred, typically against individuals who misuse access rather than corporate entities.

Sources

This article is built from primary sources: regulator press releases, published tribunal judgments, and legislation. Where analytical commentary is cited, it is professional legal analysis from UK data protection practitioners.

UK regulatory and judicial:

EU regulatory and market study:

Analytical commentary:

Related Service

The Eraser€3,800

Manual removal from 500+ data brokers, Google search suppression, social media archive cleanup, and a 90-day re-scrub guarantee.

Start Erasure — €3,800 Or Get a Free Exposure Check

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.