Signal / Other / 22 April 2026
ICO penalty: broker-collected consent does not protect the calling organisation
A UK compensation company was fined 90,000 pounds by the ICO in March 2025 for 95,277 automated marketing calls. The consent the company relied on had been collected by a third-party data supplier whose consent statement did not name the calling organisation. The 'we bought the list, the broker had consent' defence has now been formally rejected.
Sales teams that buy or rent UK contact data should treat this case as the operative ICO position on consent provenance.
The regulator's reasoning: PECR regulation 19 requires consent to be specific, informed, and freely given for the calling organisation. A broad consent statement collected by a data supplier does not transfer to a downstream caller unless that caller is named in the consent text the data subject saw at the point of collection.
Operationally, this kills the bulk-list-with-blanket-consent procurement model for any campaign involving automated or pre-recorded calls. The remaining lawful path is one of: (a) live human-dialled calls to non-TPS-registered numbers without pre-recorded content, (b) consent collected directly by the calling organisation, or (c) corporate subscribers under PECR's email exemption (with UK GDPR still applying to the named contact).
Source: ICO action, April 2025: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/04/compensation-company-fined-90-000-for-unlawful-marketing-calls/