Selling Personal Information: What's Allowed?

Alex Solo
byAlex Solo12 min read
Data & Privacy
Contents

Many founders assume customer data is just another business asset they can package up, licence or sell when they need a new revenue stream. That is where trouble starts. Common mistakes include treating broad privacy notice wording as consent, sharing contact lists with another business without checking the legal basis, and buying third party data without proper due diligence on how it was collected. Another frequent problem is assuming that if names are removed, the data is no longer personal information, even when individuals can still be identified.

In the UK, selling personal information is not automatically banned, but it is heavily regulated. The real question is not simply whether money changes hands. It is whether the collection, sharing, disclosure or commercial use of personal data is lawful, transparent and fair under UK data protection law. This guide explains what selling personal information means in practice, when the issue comes up for SMEs and startups, what rules usually matter most, and what steps to take before you sign a deal or build a data-driven product.

Overview

UK businesses can only sell, disclose or otherwise monetise personal data if they have a valid legal basis, clear transparency, and a use of data that fits with what people were told when their data was collected. The main risk is not just regulatory action, but damaged customer trust, unenforceable commercial arrangements and a business model that has to be rebuilt after launch.

  • Identify whether the information is actually personal data, pseudonymised data, or genuinely anonymous data.
  • Check your lawful basis for collecting and disclosing the data, and whether consent is really required.
  • Review what your privacy notice said at the point of collection and whether the proposed sale is compatible with that wording.
  • Work out whether you are acting as a controller, joint controller or processor in the arrangement.
  • Assess any direct marketing rules, especially for email, SMS and similar communications.
  • Use a written contract that covers data protection responsibilities, security, liability and permitted uses.
  • Complete a risk assessment if the data use is intrusive, large scale or unexpected.
  • Check whether the data was sourced lawfully from a third party before you spend money on setup.

What Selling Personal Information Means For UK Businesses

Selling personal information usually means disclosing personal data to another party in return for money or another commercial benefit, but the legal analysis depends on the data use, not just the label attached to the deal.

In practice, businesses do not always call it a sale. A contract might describe it as a licence, list rental, audience sharing arrangement, data partnership, lead generation deal, enrichment service, affiliate campaign or platform integration. If personal data moves from one business to another and the recipient uses it for its own purposes, UK data protection law is likely to be engaged.

What counts as personal information?

Personal information, or personal data, covers information relating to an identifiable individual. That can include obvious items such as names, email addresses and phone numbers. It can also include customer IDs, IP addresses, location data, browsing history, purchase records and combinations of data points that make someone identifiable.

This is where founders often get caught. Data does not stop being personal just because you removed a name field. If someone can still be singled out directly or indirectly, the law may still treat it as personal data.

Is selling personal data illegal in the UK?

No, not in every case. But a business cannot simply decide that because it collected data lawfully, it can now sell or share it however it likes. The disclosure must have its own lawful basis and must be fair and transparent.

Under the UK GDPR and the Data Protection Act 2018, you need to be able to answer basic questions clearly. Why are you disclosing the data? What legal basis supports that disclosure? Did individuals know this could happen? Is the recipient using the data in a way people would reasonably expect?

If the answer to those questions is weak, the arrangement is risky even if the contract says the deal is lawful.

Many businesses assume they need consent for every data sale. Sometimes they do, but not always. Consent can be appropriate where people are given a genuine choice and the intended disclosure is specific and clear. It is often relevant where the data sharing supports direct marketing or where the use is unexpected.

However, consent has to be freely given, specific, informed and unambiguous. A buried sentence in terms and conditions is unlikely to do the job. Pre-ticked boxes are a bad sign. Consent also needs to be withdrawable, which can make it awkward for business models built around ongoing data monetisation.

In some cases, a business may look at legitimate interests instead. That requires a proper balancing exercise between the business purpose and the individual’s rights and expectations. It is not a shortcut. If people would be surprised that their data was sold to another business, legitimate interests may be hard to justify.

A privacy notice needs to say clearly how personal data will be used and shared. Vague wording such as “we may share your information with selected partners” often causes problems. If you later plan to sell customer data to third parties for their own marketing or analytics purposes, your earlier wording may not be specific enough.

Fairness is a separate issue from strict wording. Even if the notice technically mentions third party sharing, the overall picture still needs to be fair. A hidden disclosure that a reasonable customer would not expect can still create legal risk.

Special category data and children’s data need extra care

Some types of information attract stricter rules, including health information, biometric data, information about religious beliefs, sexual orientation and similar sensitive categories. Selling or sharing that type of data can be much harder to justify and may require an additional condition under data protection law.

Children’s data also needs extra caution. If your product or service is aimed at children, or you know children are using it, commercial sharing arrangements should be reviewed very carefully. The fairness and transparency expectations are higher.

When This Issue Comes Up

The issue usually appears when a business tries to turn customer information into revenue, expand its marketing reach, or sell a business asset without realising that data protection limits what can be transferred.

Customer lists and lead generation

A common founder moment is wanting to sell a customer or prospect database to another company. For example, a gym may want to sell a lapsed member list to a nutrition brand, or a software business may want to pass user details to referral partners in return for commission.

That is rarely as simple as transferring a spreadsheet. You need to check what customers were told, whether they agreed to marketing from other businesses, and whether electronic marketing rules apply. Email and SMS marketing can trigger separate privacy and electronic communications rules, not just general data protection law.

Data partnerships and platform integrations

Tech businesses often build products that combine user data with another company’s audience, analytics or ad tools. The commercial discussion may focus on product growth, but the legal issue is whether each party is acting for its own purposes and whether users were told enough about that arrangement.

This matters before you sign a contract with a platform, adtech provider or data broker. If both parties decide key purposes and means of processing together, they may be joint controllers. That changes the compliance work and should be reflected in the paperwork.

Business sales, restructures and investment

Personal data is often treated as part of the value of a business. If you are selling your company, carving out a business unit or moving customer records between group entities, the buyer may expect access to customer databases. That can be lawful, but only if the transfer is properly handled and consistent with what customers were told.

This is especially important where the buyer plans to use the data differently from the seller. A transfer during a share sale can be different from an asset sale, and a new use after acquisition can require fresh transparency steps.

Buying data from third parties

Some businesses buy lists or audience data to speed up growth. The main risk is inheriting someone else’s compliance problem. If the original collector did not obtain the data fairly or did not tell people their information would be sold on, your business may still face scrutiny when you use it.

Cheap data can become expensive very quickly if you need to stop using it after launch, answer complaints or rebuild your marketing pipeline.

Analytics, enrichment and so-called anonymised data

Another common situation is selling aggregated insights or enriched datasets. If the data is truly anonymous so that individuals are no longer identifiable, data protection law may not apply in the same way. But true anonymisation is a high bar.

Pseudonymised data is not the same thing. If the data can be linked back to individuals, directly or indirectly, it usually remains personal data. Businesses sometimes overstate anonymisation in sales material, which creates both legal and commercial risk.

Practical Steps And Common Mistakes

The safest approach is to test the proposed data sale like a product launch: define the data, map the flows, check the lawful basis, and document the commercial arrangement before you spend money on setup.

1. Map exactly what data is changing hands

Start with the dataset itself. Do not rely on commercial shorthand such as “user insights” or “customer segment data”. List what fields are included, where the data came from, when it was collected, and whether it includes anything sensitive.

Check:

  • direct identifiers, such as names and contact details
  • indirect identifiers, such as unique IDs, device details and location data
  • behavioural data, such as browsing and purchase history
  • sensitive or special category data
  • whether any minors are included
  • whether the dataset is genuinely anonymous or only pseudonymised

2. Review the original collection point

The legality of a future sale often turns on what happened when the data was first collected. Review sign-up forms, cookie flows, lead forms, app permissions, privacy notices and any consent records. If your old wording is vague, that does not automatically mean the sale is impossible, but it is a warning sign.

A founder buying a customer list should ask for that evidence before signing. A founder selling one should gather it before pitching the deal.

3. Identify the correct lawful basis

You need a lawful basis for the collection and for the later disclosure or use. Depending on the facts, businesses often consider consent or legitimate interests. Neither should be selected because it sounds convenient.

Think about:

  • whether people would reasonably expect this disclosure
  • whether they were given a genuine choice
  • whether the recipient will use the data for its own independent marketing or profiling
  • whether the impact on individuals is low, moderate or high
  • whether a less intrusive option could achieve the same business aim

If your business wants to rely on legitimate interests, record the balancing exercise. If consent is needed, make sure it was validly obtained and can be evidenced.

4. Check direct marketing rules separately

A business may have a lawful basis for handling data and still breach rules on electronic marketing. If the recipient plans to send marketing emails or texts, separate consent requirements can apply. This is a common gap in data sale deals.

Do not assume that a privacy notice disclosure is enough. Marketing permissions need their own review.

5. Put the allocation of roles in writing

One of the most common mistakes is using a short commercial contract that says little about data protection. If the buyer determines its own purposes for the data, it is not simply processing on your behalf. The contract should reflect the actual relationship.

A written agreement should usually cover:

  • who is controller, processor or joint controller
  • what data is covered and for what purpose it may be used
  • whether onward sharing is allowed
  • security standards and breach notification
  • who handles privacy rights requests and complaints
  • warranties about lawful collection and transparency
  • indemnity and liability positions
  • deletion, return or retention obligations

6. Update privacy information if needed

If your proposed data sharing goes beyond what people were previously told, you may need to update your privacy notice and, in some cases, notify individuals directly or seek fresh consent. Timing matters. Doing this after the dataset has already been transferred is often too late.

This is especially relevant in a business sale, merger or new data monetisation project where the new use is materially different from the old one.

7. Carry out a risk assessment for high impact uses

Where the arrangement involves profiling, large-scale sharing, sensitive data, children’s data or unexpected uses, a formal data protection impact assessment may be sensible and sometimes necessary. Even where not strictly required, a written risk assessment helps expose weak points before launch.

It can also help in commercial negotiations. If a buyer or partner cannot explain its security, retention or use case clearly, that tells you something important before you sign.

Common mistakes to avoid

Several patterns come up repeatedly in SMEs and startups:

  • assuming a broad privacy notice gives unlimited rights to sell data later
  • treating pseudonymised data as anonymous without proper testing
  • buying a marketing list without checking how consent or notice was obtained
  • ignoring direct marketing rules because the deal is framed as a data licence
  • using a generic services agreement that does not address controller roles
  • focusing on the price of the dataset and not on customer trust and complaints risk
  • transferring data during an asset sale without reviewing post-sale use
  • forgetting to brief product, sales and marketing teams on the actual limits of the deal

FAQs

Can my business sell its customer list in the UK?

Sometimes, but only if the disclosure is lawful, transparent and fair. You need to check what customers were told, the legal basis for the sharing, and whether any marketing consent rules apply.

Is anonymised data safe to sell?

Only if it is truly anonymous. If individuals can still be identified directly or indirectly, the data is likely still personal data and the usual data protection rules will still matter.

No. Consent is not always required, but it is often relevant where the sharing is unexpected or linked to direct marketing. Some businesses look at legitimate interests instead, but that needs careful assessment and documentation.

What if I buy data from another company?

You should carry out due diligence before using it. Ask how the data was collected, what people were told, whether marketing permissions exist, and whether the seller can back that up with records and contractual warranties.

Can personal data be transferred as part of a business sale?

Often yes, but the transfer still needs to comply with data protection law. The buyer’s intended use, the deal structure and the privacy information given to customers all matter.

Key Takeaways

  • Selling personal information in the UK is not automatically prohibited, but it must be lawful, fair and transparent.
  • The key issues are whether the data is actually personal data, what people were told at collection, and what lawful basis supports the disclosure.
  • Consent is not always required, but broad or hidden wording is usually not enough for unexpected third party data sales.
  • Direct marketing rules can apply separately, especially where email or SMS use is involved.
  • Business sales, lead generation, data partnerships and purchased lists are all common situations where this issue arises.
  • A proper written contract should deal with controller roles, permitted uses, security, complaints, liability and deletion.
  • Founders should review privacy notices, consent records and source data before they sign a contract or spend money on setup.
  • If your business is dealing with selling personal information and wants help with privacy notices, data sharing agreements, marketing compliance, and data due diligence, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
Alex Solo
Alex SoloCo-Founder

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Get your customer-facing terms right

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Keep reading

Related Articles

Privacy Notices for UK Import and Export Businesses

Privacy Notices for UK Import and Export Businesses

UK import and export businesses often share personal data across logistics, customs, sales and overseas systems. This guide explains what a privacy notice

21 Jun 2026
Read more
Privacy Consent Wording: What UK Businesses Need to Get Right

Privacy Consent Wording: What UK Businesses Need to Get Right

A privacy consent wording review helps UK businesses check whether website forms, cookie banners, marketing signups and sensitive data requests actually

21 Jun 2026
Read more
Privacy Rules for UK Lead Generation Businesses Collecting Customer Data

Privacy Rules for UK Lead Generation Businesses Collecting Customer Data

UK lead generation businesses need more than a privacy policy. Learn how data collection, marketing permissions, lead sharing, cookies, and client

20 Jun 2026
Read more
Worried About Privacy Complaints? How to Make Sure Your Business Is Prepared

Worried About Privacy Complaints? How to Make Sure Your Business Is Prepared

Worried about privacy complaints in the UK? Learn the common triggers, the mistakes businesses make, and the practical steps startups and SMEs can take to

20 Jun 2026
Read more
Privacy Notices for UK Solar Installation Companies

Privacy Notices for UK Solar Installation Companies

UK solar installers often collect personal data through enquiries, surveys, finance, installation records and aftercare. Here is what a privacy notice should cover.

19 Jun 2026
Read more
Cookie Notices for UK B2B Software Companies

Cookie Notices for UK B2B Software Companies

UK B2B software companies often assume cookie rules only matter for consumer brands. This guide explains when a cookie notice is needed, how PECR and UK

18 Jun 2026
Read more
Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get StartedBook A Call