Bought leads can be GDPR compliant, but only if the lead generation company collects proper consent and follows data protection rules throughout the process. GDPR compliance is not about whether leads are bought or generated in-house — it is about whether the consumer gave informed, specific consent to be contacted, and whether their data is handled lawfully.
What GDPR Requires for Lead Generation
The UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) set out clear requirements for collecting and processing personal data for marketing purposes. For lead generation, the key requirements are:
Lawful basis for processing. The most common lawful basis for lead generation is consent. The consumer must actively agree to their data being shared with a named company or category of companies for a specific purpose. Pre-ticked boxes, buried consent language, or vague catch-all permissions do not constitute valid consent under GDPR.
Specific and informed consent. The consumer must understand who will contact them and why. A form that says their details will be shared with a mortgage adviser is specific. A form that says their details will be shared with unspecified third parties is not.
Clear privacy notice. The consumer must have access to a privacy notice that explains how their data will be used, who it will be shared with, how long it will be kept, and how they can exercise their rights (including the right to withdraw consent or request deletion).
Records of consent. The lead generation company must maintain auditable records of consent — including what the consumer agreed to, when they agreed, and the exact wording of the consent language they were shown.
How to Check Your Provider Is Compliant
As the firm receiving and using the leads, you have a responsibility to ensure the data you are working with was collected lawfully. Here are the practical steps to verify compliance:
Ask to see the consent language. Request screenshots or examples of the forms consumers complete. The consent text should clearly state that the consumer's details will be shared with a named adviser, broker, or specific type of company for the purpose of discussing their enquiry.
Check ICO registration. Any company processing personal data in the UK should be registered with the Information Commissioner's Office. You can search the ICO register online to verify a provider's registration.
Request a data processing agreement. When you buy leads, you and the provider should have a data processing agreement in place that defines each party's responsibilities under GDPR. This is not optional — it is a legal requirement when personal data is shared between organisations.
Ask about consent records. A compliant provider should be able to provide an audit trail for any individual lead showing the timestamp of consent, the consent language shown, and the consumer's IP address. If a provider cannot provide this, their compliance is questionable.
Red Flags to Watch For
Certain practices suggest a lead provider may not be fully GDPR compliant:
Selling leads from old or purchased data lists without fresh consent. Consent must be current and specific — historical data collected for a different purpose cannot simply be repurposed for lead generation.
Using vague consent language that does not specify who will contact the consumer or why. Broad, non-specific consent does not meet GDPR standards.
Refusing to share their consent process, form language, or ICO registration details. A compliant provider has nothing to hide.
Selling leads with no clear provenance — if the provider cannot tell you where and when a lead was generated, the compliance status is unknown.
Your Responsibilities as the Lead Buyer
Buying leads does not absolve you of GDPR responsibility. Once you receive a consumer's personal data, you become a data controller for that data and must handle it in accordance with GDPR. This means storing it securely, using it only for the purpose the consumer consented to, responding to subject access requests, and deleting data when it is no longer needed.
If a consumer asks how you obtained their details, you should be able to explain that they submitted an enquiry through a specific form or website and consented to being contacted. If you cannot explain the provenance of the data, you are at risk.
At Lurvo Digital, all leads are generated with explicit, specific consent. We are registered with the ICO, maintain full consent audit trails, and provide data processing agreements to all clients. We can supply consent records for any individual lead on request.