Skip to content

Can My Business Buy a Marketing List?

Table of Contents

In Short

  • PECR governs how businesses use purchased marketing lists, requiring informed, specific consent for electronic marketing.
  • Consent must explicitly name your business and specify the type of communication (e.g., email, text).
  • Businesses must conduct due diligence, verifying consent, and ensure compliance to avoid penalties.

Tips for Businesses

Always verify the source of any purchased marketing list and ensure explicit consent is obtained for your marketing. Screen against suppression services and maintain up-to-date data to remain compliant with PECR.

Marketing campaigns are vital tools to help promote business growth and gain new customers. Businesses often rely heavily on marketing and marketing lists to generate leads and reach new potential customers. Some businesses may seek to purchase email marketing lists or mailing lists from third-party companies to help their lead generation. However, strict rules under the Privacy and Electronic Communications Regulations (PECR) govern how businesses can use these lists for email, text, or phone marketing. Companies must ensure full compliance with PECR to avoid potential penalties when using purchased lists. This article will explore the legal considerations around buying a marketing list under PECR. 

What Is PECR?

PECR governs privacy in electronic communications, covering marketing calls, texts, emails, and faxes. It sits alongside the UK GDPR (governing the use of personal information), but it specifically focuses on marketing communications and the use of cookies and similar technologies. 

Your business must comply with PECR, as failure to do so can result in substantial penalties, including enforcement action, criminal enforcement and fines. Following these regulations demonstrates that you respect individuals’ preferences and build trust with your customers.

Can You Use a Purchased Marketing List for Marketing?

The ICO has published clear guidance on the rules around purchasing marketing lists. As per its guidance, businesses can use a bought-in list for marketing purposes, but only under certain conditions and subject to following strict legal rules. 

Your business can send marketing emails, texts, or recorded calls only if you have obtained specific, informed consent from individuals on the list. 

This means:

  • the consent must explicitly name your business;
  • individuals must have agreed to the specific type of communication you intend to send (e.g., emails, texts); and
  • the consent must be recent, valid, and properly documented.

Under PECR, you cannot rely on generic consent that covers third parties. If the consent does not explicitly name your business or the communication method, it is not valid. Any marketing you send to individuals without specific consent will breach PECR.

The soft opt-in rule (which allows businesses to send marketing communications to existing customers whose details were obtained during a sale or negotiation) does not apply to bought-in lists. Since individuals on bought-in lists did not provide their data directly to your business, you must obtain explicit consent for electronic marketing.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Due Diligence Must You Conduct Before Using a Marketing List?

You must conduct thorough due diligence before using a bought-in list. Your business cannot simply trust the seller’s assurances and must conduct its own investigations to ensure compliance with legal rules is fully met. 

You must check the following key issues: 

  • Verify the source: Check who compiled the data. Was it collected directly from individuals or through third parties?
  • Check transparency: Confirm that individuals were informed their data could be shared for marketing purposes and that your business was explicitly named as a party that will contact them for marketing purposes. 
  • Validate consent: Ensure that individuals gave specific, informed consent for the type of marketing you plan to send. Make sure the consent is recent and properly documented. Also, check if the list seller checked that individuals had not opted out of receiving marketing communications (such as marketing suppression lists). 
  • Ensure accuracy: Confirm that the data is up-to-date and accurate. Using outdated or inaccurate data could lead to a PECR breach, particularly if individuals have opted out of marketing.
  • Request proof of consent: Make sure the seller of the marketing list can show when and how they obtained consent. You should not use the list if they cannot provide this evidence.

To comply with PECR when using a bought-in marketing list, you must verify that individuals on the list have provided specific, informed consent to your business for the type of communication you plan to send (e.g., emails, texts, or recorded calls). 

Additionally, you should screen the list against the Telephone Preference Service (TPS), Fax Preference Service (FPS), and your internal suppression lists to avoid contacting individuals who have opted out. 

It is crucial to ensure the data is accurate and up-to-date to avoid contacting individuals who do not wish to receive marketing messages. 

If individuals were not previously informed, you should also send them a privacy notice explaining how their data will be used. 

You should also take proactive steps to monitor and address any complaints you receive about your marketing communications. If complaints are frequent, this may indicate that the list seller is unreliable, and you should reconsider using that source.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

How Can a Data Protection Lawyer Help?

Breaching PECR presents many risks, and purchasing a marketing list can be particularly risky, especially given the scope of individual complaints against your business. 

A data protection lawyer can support your business by providing tailored advice on PECR and helping you ensure that your marketing practices comply with its legal requirements.

A data protection solicitor can guide you through the due diligence process upon purchasing a marketing list. They can help verify that the data provider is compliant and ensure the valid attainment of consent

Considering the significant reputational damage you could face for getting this wrong and marketing to individuals in breach of the PECR rules, legal advice can be a sensible investment if you are unsure whether you can lawfully purchase and use a marketing list. 

Key Takeaways

Using marketing lists you have purchased is possible, but you must always comply with PECR to do so lawfully. For instance, you can only send emails, texts, or recorded calls to individuals who have given specific, informed consent. The soft opt-in exemption does not apply to bought-in lists, so you cannot rely on this rule for third-party data. To avoid penalties arising from breaching PECR, your business should take various proactive steps, such as conducting due diligence, verifying consent, and screening your lists against suppression services. When purchasing a marketing list, you should seek legal advice if you need clarification about your legal obligations under PECR.

If you need legal advice on PECR, our experienced regulatory and compliance lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Can my business use a bought-in list for email marketing?

Yes, but only if the individuals have given specific, informed consent to receive marketing emails from your business. Generic consent to marketing from third parties is not enough under PECR.

What steps should I take when buying a marketing list?

You should ensure robust due diligence by verifying how the data was collected, such as checking that specific consent was obtained, screening the list against TPS and FPS, and confirming that the data is accurate and up to date.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards