In January 2026, the ICO fined two companies a combined £225,000 for sending millions of unsolicited marketing messages. One had sent 67.8 million emails using third-party data where people were never given a clear choice about receiving marketing. The other had sent over 4 million SMS messages disguised as service updates.
Both cases involved lead generation. Both involved failures that most marketing teams would not recognise as problems until the enforcement notice arrives.
Lead generation is where GDPR compliance fails most often in practice. Not because the rules are impossibly complex, but because they sit across two overlapping regimes – UK GDPR and the Privacy and Electronic Communications Regulations (PECR) – and most marketing teams only know about one of them. The result is landing pages with pre-ticked consent boxes, lead magnets that bundle marketing opt-ins with content access, bought email lists with no due diligence, and social media lead forms that collect data without adequate transparency.
This guide provides a practical framework for getting it right. It covers the legal basis question, the PECR rules that trip most teams up, what a compliant lead form actually looks like, the minefield of third-party data, and the platform-specific considerations for Meta, LinkedIn, and Google.
A note on timing: several ICO guidance documents referenced in this article are under review following the Data (Use and Access) Act 2025. The principles are settled, but specific guidance pages may be updated during 2026. We will update this article as new guidance is published.
The legal basis question: consent or legitimate interest?
Every lead generation campaign needs a lawful basis under UK GDPR Article 6(1). For most campaigns, the choice is between consent and legitimate interest. The decision is simpler than it appears, because for electronic marketing – email, SMS, social media messages – PECR determines the answer before GDPR enters the picture.
Here is the rule that catches most marketing teams out: if PECR requires consent for the communication channel, you cannot use legitimate interest under GDPR instead. The ICO is explicit: "If e-privacy laws require consent, then processing personal data for electronic direct marketing purposes is unlawful under the UK GDPR without consent. If you have not got the necessary consent, you cannot rely on legitimate interests instead."
This means the lawful basis depends on who you are contacting, through which channel, and what relationship you have with them.
Email or SMS to a new individual contact (no existing relationship): PECR requires consent. Your GDPR basis is consent.
Email or SMS to an existing customer (soft opt-in conditions met): PECR permits the soft opt-in. Your GDPR basis is legitimate interest.
Email to a corporate subscriber (limited company, LLP, Scottish partnership): PECR does not require consent for corporate subscribers. Your GDPR basis is legitimate interest. But UK GDPR still applies to any personal data involved – the individual at that company retains the right to object.
Postal marketing: Not covered by PECR electronic mail rules. Legitimate interest with a documented Legitimate Interest Assessment (LIA).
Live telephone calls: Permitted without consent, provided the number is not on the TPS or CTPS and the person has not previously objected. Legitimate interest is the appropriate GDPR basis.
Automated telephone calls: Always require prior explicit consent.
The Data (Use and Access) Act 2025, which received Royal Assent in June 2025 and took key effect in February 2026, has confirmed direct marketing as a statutory example of a legitimate interest. But this does not change the PECR consent requirement for electronic communications. The core rules for commercial electronic marketing remain unchanged.
Legitimate interest is not a shortcut
When legitimate interest does apply, it requires documentation. A Legitimate Interest Assessment involves three steps: establishing that the interest is lawful and real (the purpose test), demonstrating that the processing is necessary and proportionate (the necessity test), and balancing the firm's interest against the individual's rights and expectations (the balancing test).
The ICO provides a downloadable LIA template. It must be completed before processing begins – retrospective assessments are not compliant. And it must be kept under regular review, particularly when the nature of the marketing or the audience changes.
The right to object to direct marketing is absolute under UK GDPR Article 21(2). If a lead objects, processing must stop immediately. No "compelling legitimate interests" override this.
PECR in practice: the soft opt-in and the corporate subscriber exception
Two PECR provisions shape most B2B and B2C lead generation strategies: the soft opt-in and the corporate subscriber exception.
The soft opt-in
The soft opt-in allows you to send marketing emails or texts to individuals without fresh consent, provided all of the following conditions are met. The contact details were obtained directly from the individual, in the course of a sale or negotiations for a sale. You are marketing your own similar products or services. You gave the individual a clear opportunity to opt out when you first collected their details. And you include an opt-out in every subsequent message.
The critical phrase is "negotiations for a sale." The ICO states that the customer does not need to have bought anything – requesting a quote or actively expressing interest in purchasing a service is sufficient. But downloading a free guide or attending a general webinar is almost certainly not. The ICO is clear: the soft opt-in does not apply to details collected where there is no sale or negotiation for a sale.
This matters for professional services firms that use lead magnets. If someone downloads your guide to pension transfer compliance, that alone does not create a "negotiation for a sale." You cannot rely on the soft opt-in to add them to your email marketing list. You need separate, explicit consent for marketing communications.
"Similar products and services" is also interpreted narrowly. If someone enquired about your data protection consultancy, marketing them your unrelated recruitment service would fall outside "similar." The test is whether the person would reasonably expect to be contacted about the product or service in question.
The corporate subscriber exception
For genuine corporate subscribers – limited companies, PLCs, LLPs, Scottish partnerships, government bodies – PECR does not require consent for electronic marketing emails. This is the basis of much B2B lead generation.
The trap is misclassification. Sole traders and partnerships in England, Wales, and Northern Ireland are treated as individual subscribers under PECR. They need consent or the soft opt-in, just like any private individual. Many marketing teams assume that anyone with a business name is a corporate subscriber. They are wrong, and the fines for getting this wrong have increased dramatically.
The new enforcement reality
Under the DUAA 2025, PECR fines have been brought in line with UK GDPR levels: up to £17.5 million or 4% of global annual turnover, whichever is higher. The previous maximum was £500,000. Historical fine levels are not a reliable guide to future risk.
The ICO has also gained the power to fine "instigators" of PECR violations directly – meaning lead generators and data brokers, not just the firms that send the messages.
Lead forms and landing pages: what compliance actually looks like
The lead capture form is the most common point of failure. Getting the form right is both a compliance obligation and, as the data suggests, a conversion advantage.
Privacy notices
The ICO endorses a layered approach. The first layer – visible on the form itself – should state who you are, what you will do with the data, and link to your full privacy notice. The second layer – the linked notice – must include the complete Article 13 information: lawful basis, retention period, data subject rights, right to complain to the ICO, and details of any international transfers.
The ICO's advice is worth quoting: "If you find it difficult to explain what you want to do, or you don't want to tell people because you think they might object, this is a sign that you should rethink your intended marketing activity."
Consent mechanisms
A compliant consent checkbox must be unticked by default. It must use clear, plain language specifying the type of marketing and who will send it. It must be separate from the form submission action – clicking "Download" or "Submit" does not constitute consent to marketing. And it must be separate from other consents: "contact me about my enquiry" is a different purpose from "send me marketing emails."
The HelloFresh enforcement action in January 2024 (£140,000 fine) confirmed what should have been obvious: bundling marketing consent with an age confirmation statement is not specific, not freely given, and not compliant.
Data minimisation
UK GDPR Article 5(1)(c) requires that data collected be adequate, relevant, and limited to what is necessary. For a lead capture form, name and email are usually defensible. Phone number requires a justification – if you never call leads, you should not collect their number. Job title and company name may be necessary for B2B qualification, but fields like company revenue or annual turnover are harder to justify at the first point of contact.
There is a performance alignment here that marketers should note: industry data consistently shows that each additional required field beyond email reduces form completions by 10–25%. Data minimisation and conversion optimisation point in the same direction. Collect less at the first touch. Use progressive profiling to gather additional information as the relationship develops.
Retention
The ICO does not prescribe specific retention periods for marketing data. But data must not be kept indefinitely "just in case." You need a documented retention policy, communicated at the point of collection, with regular reviews. Industry practice for unconverted leads is typically 6–12 months with periodic review.
For third-party consent specifically, the ICO's guidance suggests consent should generally not be relied upon if more than six months old, unless people would reasonably expect marketing at a later date.
Third-party lead generation: the compliance minefield
Buying leads from data brokers or aggregators is the highest-risk activity in lead generation. The ICO's position is unambiguous: "It is not enough to simply accept a third party's assurances that the information they are supplying to you is compliant."
The consent specificity problem
For purchased lead data to be used for electronic marketing, the consent must specifically name the organisation that will send the communication. Generic formulations – "we may share your data with carefully selected third parties," "our partners," or long lists of general categories – are not valid consent.
The ZMLUK enforcement action in January 2026 illustrates this precisely. The company sent 67.8 million marketing emails using data from a third-party website that listed 361 "partner" companies with no mechanism for individuals to choose which partners could contact them. The ICO found the consent was not valid. Fine: £105,000.
In another case from 2024, LADH Limited was fined £50,000 for relying on "verbal assurance" from a third-party data supplier that consent had been obtained. The ICO was blunt: "Relying on third party claims of consent, without undertaking checks, leaves organisations open to enforcement action."
Due diligence obligations
When purchasing lead data, the ICO expects you to verify: who compiled the data, where it was obtained, what privacy information was given at collection, when consent was obtained, what the consent covers, whether your organisation was named, and what evidence of suppression list checking exists. A reputable supplier should be able to demonstrate all of this. If they cannot, do not use the data.
Beyond the regulatory risk, the practical reality is that major email marketing platforms – Mailchimp, Campaign Monitor, and others – prohibit purchased lists under their terms of use. A purchased list with no verifiable consent chain is not just a compliance risk. It is functionally unusable.
Controller relationships
When a lead broker sells data to your firm, both parties are typically independent controllers. This is a data sharing arrangement, not a controller-processor relationship, so Article 28 Data Processing Agreements are not the right instrument. The focus should be on ensuring lawful basis, transparency, and Article 14 compliance (informing the data subject of the source within one month or at first communication).
Where a lead generation company operates under your instructions – running campaigns on your behalf, collecting data to your specification – they may be a processor, requiring an Article 28 DPA. If they make independent decisions about how data is collected and used, the relationship is likely joint controllership under Article 26, with joint and several liability.
Social media lead generation: platform-specific compliance
Meta, LinkedIn, and Google all offer lead generation products that collect data within their platforms. In every case, the advertiser – not the platform – bears primary responsibility for GDPR compliance when using that data.
Meta Lead Ads
Meta updated its Lead Ads terms in October 2025 to make the advertiser's obligations explicit. The advertiser is the data controller. Data collected through a lead form can only be used for the specific purpose declared in the campaign. Repurposing data for newsletters or other marketing requires fresh, separate consent.
Submitting a Meta Lead Ad form does not constitute valid consent for ongoing marketing. If you intend to add leads to an email marketing list, you need a separate compliant consent mechanism within the form. Meta's custom disclaimer feature allows additional consent checkboxes – use it.
Meta now also requires users to manually confirm or re-enter their contact details before submission, reducing accidental auto-fill submissions and improving data quality alongside consent validity.
LinkedIn Lead Gen Forms
LinkedIn Lead Gen Forms are pre-populated with profile data – name, email, job title, company. LinkedIn acts as a processor when advertisers manage the data via its advertising tools. Since April 2020, the default consent checkbox has been removed; advertisers must manually add custom checkboxes, each with a maximum of 500 characters. A privacy policy URL is mandatory.
LinkedIn automatically deletes lead data after 365 days. Members can revoke their submission at any point within that period.
The broader context matters: LinkedIn was fined €310 million by the Irish DPC in October 2024 for unlawful processing of member data for behavioural analysis and targeted advertising. While not specifically about Lead Gen Forms, the ruling rejected consent, legitimate interests, and contractual necessity as lawful bases for LinkedIn's advertising data processing.
Google Ads lead form assets
Google Ads lead forms require a privacy policy URL and advertiser verification. The data handling model differs from Meta and LinkedIn: Google operates under controller-to-controller data protection terms, meaning both Google and the advertiser are independent controllers rather than in a processor relationship.
Lead data is available for download for 30 days (or 60 days via API). After this, it is no longer accessible through Google Ads.
The common thread
If your lead generation campaigns use Google Ads or GA4, Consent Mode V2 configuration is also relevant – our implementation guide covers this separately.
Across all platforms: default settings may not be GDPR-compliant. Purpose limitation applies – data collected for one purpose cannot be repurposed without separate consent. PECR consent is required for subsequent UK marketing emails regardless of how the lead was captured. And cross-platform consent records are a practical challenge that most firms underestimate. If leads arrive from Meta, LinkedIn, Google, and your own website, consent management needs to be centralised in your CRM with a full audit trail.
A compliance checklist for lead generation campaigns
Before launching any lead generation campaign, work through this checklist.
Legal basis. Have you identified the lawful basis under UK GDPR for each processing activity? If you are sending electronic marketing to individual subscribers, have you obtained PECR-compliant consent or confirmed that the soft opt-in applies? If relying on legitimate interest, have you completed and documented a Legitimate Interest Assessment?
Consent mechanisms. Are consent checkboxes unticked by default? Is marketing consent separate from form submission and from other consents? Does the consent language clearly state who will send what, through which channels?
Privacy notices. Is a first-layer privacy notice visible on the form? Does it link to a full Article 13 notice? Is the language clear and plain?
Data minimisation. Is every field on the form justified as necessary for the stated purpose? Are you collecting the minimum data needed at this stage of the relationship?
Retention. Do you have a documented retention policy for leads? Is the retention period communicated at the point of collection? Do you have a process for reviewing and deleting or anonymising unconverted leads?
Third-party data. If using purchased or third-party data, have you conducted due diligence on the source? Can the supplier demonstrate valid, specific consent that names your organisation? Have you screened the data against your suppression list and the TPS/CTPS?
Platform compliance. If using Meta, LinkedIn, or Google lead forms, have you configured consent mechanisms beyond the platform defaults? Is your privacy policy linked and accessible within the form? Are you tracking consent centrally?
Audit trail. Can you demonstrate, for each lead, who consented, when, how, and what they were told? Are consent records maintained for as long as you process the data?
DPIA screening. Does the campaign involve profiling, large-scale data collection, or new tracking technology? If so, a Data Protection Impact Assessment may be required under GDPR Article 35. Our practical DPIA template for marketing campaigns covers this in detail.
Opt-out. Is withdrawal of consent as easy as giving it? Do all marketing communications include a clear, free-of-charge opt-out? Do you have a preference centre for ongoing consent management?
Compliance builds performance
Most marketing teams assume that GDPR compliance and marketing performance are in tension – that compliant forms convert less, compliant lists are smaller, and compliant campaigns underperform. The data tells a more nuanced story.
Compliant lead capture does reduce initial volume. Explicit, unticked opt-in consent produces lower initial sign-up rates than pre-ticked or assumed consent models – one widely cited industry estimate puts the reduction at 15–20%. But the leads that do come through are higher quality: they have made a deliberate choice to engage. They are more likely to open emails, click through, and ultimately convert. Double opt-in, for instance, typically reduces initial signups but improves engagement quality – confirmation rates run between 65% and 85%, and the resulting list performs measurably better.
For professional services firms – where a single converted client may represent tens of thousands of pounds in lifetime value – lead quality matters more than lead volume. The cost of acquiring a compliant, high-intent lead is higher per unit. The cost of acquiring a client is often lower, because fewer leads are wasted.
Ola has reduced cost-per-lead by 88% for a client while maintaining full GDPR compliance – a case we examine in detail in a separate article. The compliance improvements did not come at the expense of performance. They were part of what drove it: better data quality, more precise targeting, less waste.
The firms that treat compliance as an obstacle build fragile campaigns on questionable data. The firms that build it into the architecture from the start build campaigns that perform better and never generate an ICO enforcement notice.