Generating Email Addresses from Public Data is Illegal
This is something that I've been meaning to write about for a while. A recent update from the ICO about a complaint I have submitted about this very subject, combined with a little downtime around the holidays, means that I've finally found time to write it all down.
In the second half of last year, I very suddenly started receiving a growing number of spam emails targeting a personal email address that I have hosted under one of my business domain names and had never used or shared. This sudden influx of uninvited spam was coming from reputable brands that you would recognise, such as Vitality and Expedia (amongst others).
These are brands that should know better than to send out unsolicited spam emails to non‑subscribers. I had no relationship with these companies and had never agreed to receive emails from them, and yet, here these emails were arriving ‑ uninvited ‑ in my inbox in their tens each day, taking time out of my day and interrupting my workflow.
How Was It Happening?
As you may know, I'm the director of two companies: PixelCounter Ltd. (which I began the process of striking off at the end of last year) and Kavanagh Digital. Both of these companies have websites, and both have a readily available business email address posted on them:
So, it would not be unreasonable to say that if a business legitimately wanted to reach my business in a B2B capacity, then there is a very easily accessible route to doing so by using the email address on the business website, which invites precisely that type of communication.
What I was receiving ‑ though ‑ was spam targeted much closer to me personally: sent to email addresses formatted with my name in them (john@domain.com, and john.kavanagh@domain.com for example). These are private email addresses: never shared nor published online and never used for public or business purposes. There was no legitimate way that these companies could possibly have these email addresses, never mind the fact that ‑ even then ‑ they don't have permission to use them for marketing anyway.
The Role of B2b Data
Many lead generation companies create and sell what they label as "valid" and "compliant" business data, including email addresses. They generate this data by scraping publicly available information ‑ reportedly from Companies House, amongst others ‑ to obtain company officer names and then attempt to combine those with guessed email address patterns (e.g., john.smith@company.com, or johnsmith@company.com, or jsmith@company.com, or john@company.com). They will call this process things like 'proprietary lead generation', because it sounds better than 'made it up by matching patterns and hoping for the best'. In reality, it is nothing more than sheer dumb luck that they are able to generate and find these valid email addresses at all.
This practice is not just intrusive; it is illegal under GDPR and the Privacy and Electronic Communications Regulations (PECR) and is neither 'valid' nor 'compliant'. These email addresses are not sourced from public records; they are generated using a combination of public data and pure speculation. Passing these onto third parties (or using them on behalf of those third parties) constitutes unauthorised disclosure of personal data, as the generated email addresses include personal data (a person's name) that was never intended to be used for unsolicited marketing and was not shared for this purpose.
The companies argue that using public data means there is no breach. However, the generation of email addresses by combining names with domain patterns to create speculative personal data goes beyond the lawful use of public data. It is neither a legitimate nor authorised use of personal information, even if parts of the data originate from public sources like Companies House or LinkedIn.
Furthermore, under GDPR, organisations cannot justify their actions simply by referencing the public nature of the original data source. The ICO has been clear that personal data remains protected under GDPR even when derived or combined with public information, particularly if the processing leads to unsolicited marketing, as this breaches an individual's reasonable expectation of privacy.
These speculative, generated email addresses are not verified, and there's no certainty that they belong to business accounts rather than personal ones. In the case of Growthonics (apparently now Quantanite), Seed Data Solutions, InFynd, Acquirz, Red Flag Alert, and Go Data (also trading as Go Live Data), who were responsible for more than forty spam emails a day arriving in my unverified, unconsenting, private email inbox, they "generated" my valid ‑ but personal ‑ email address and sold it on to third parties without my consent. This constitutes unauthorised access and disclosure of personal data, as the information was neither directly taken from me nor provided with my permission.
Companies that buy and use this data for marketing purposes, trusting the promises that these data generation companies make, often unknowingly violate GDPR and PECR, exposing themselves to legal penalties. The responsibility for ensuring compliance lies not just with the data vendors but also with the businesses using this information.
In the cases of the companies I named above, they have all received fines or are in the process of being investigated for exactly this practice.
Why an Email Address with a Name is Personal Data
Under UK GDPR, personal data is defined as:
“Any information relating to an identified or identifiable natural person.
An email address that includes a person's name (e.g., john.kavanagh@businessname.com or even just john@businessname.com) clearly identifies an individual. This is covered under Article 4(1), UK GDPR: Definitions of Personal Data, which makes the definition I've quoted above.
Even in a business context, this is still personal data and needs to be handled as such:
- It relates directly to a natural person, not the business entity.
- It can be used to contact or infer information about that person.
This is true even if the email address is generated from public data, regardless of whether it is subsequently verified.
The ICO Guidance on Personal Data covers this in great detail, including a specific section dedicated to the classification of email addresses that include personal names ‑ even in a business setting.
Why 'legitimate Interest' Does Not apply
Whilst attempting to track down the sources of this spam, one thing I was constantly told was that using this personal email address was allowed because they claimed legitimate interest as a lawful basis for processing data. However, legitimate interest has strict requirements:
Purpose Test:
The purpose must be lawful, specific, and justified.Necessity Test:
The processing must be necessary to achieve the purpose (e.g., no less intrusive alternative exists).Balancing Test:
The individual's rights and freedoms must not be overridden by the organisation's interest.
Why It Fails in This Context
Unverified Data:
Generating email addresses based on guesses is speculative and not "necessary" for any purpose.Privacy Expectation:
An individual with a private, unpublished email address would not reasonably expect to be contacted in this way.Risk of Misuse:
Generated addresses might be incorrect or personal, leading to violations of GDPR and PECR.
The crux of this matter is that sending unsolicited emails to made‑up, personal email addresses without explicit consent or a robust justification breaches both GDPR and PECR.
Why Generic Email Addresses are Different
It's worth briefly discussing 'generic' email addresses here because they aren't the same. Generic email addresses like mail@businessname.com or info@businessname.com aren't tied to a specific individual and therefore are not personal data. These addresses are associated with the business entity rather than any natural person. This means:
- They do not fall under GDPR's personal data rules.
- Marketing communications to these addresses are generally governed by PECR alone, which permits B2B emails to such generic addresses without prior consent.
However, even when targeting generic addresses, companies must:
- Avoid misleading practices (e.g., pretending to have an existing relationship).
- Provide clear opt‑out mechanisms in all communications.
When a Generic Email Address is Still Personal Data
There is ‑ however ‑ an exception to this and one which it is virtually impossible for these automatic email generators to catch.
Under GDPR, the entire address must be considered when it comes to personally identifiable information. So ‑ for example ‑ my email address is mail@johnkavanagh.co.uk. This contains my name, which can be used to directly identify me as an individual.
So, even though it starts with 'mail', which would make it a generic email address, it's still personal data and cannot be processed without explicit consent.
This means that in order to attempt to use a generated email address in your B2B marketing, you have to manually check and verify every single one of them individually before emailing them. Otherwise, you are likely to find yourself processing personal data in an unlawful way.
One very abrasive data company I spoke to about this spent months arguing this point (having sold my email address to countless other companies). They eventually lost that argument.
The Role of Companies House Data in This Practice
The Companies House register is a public database containing information about companies and their officers (e.g., directors), published as required by law. It is important to note that Companies House does not store companies' email addresses, nor their domain names.
Whilst it is perfectly legal to access this data, misusing it ‑ such as using it to generate speculative email addresses ‑ is a breach of GDPR if:
- The data is used to target individuals without consent (and every company officer is an individual.
- The individual's reasonable expectation of privacy is disregarded.
Using Companies House data for legitimate business correspondence is permissible, but creating personal email addresses from this data crosses the line into illegality.
Misuse of Public Data and Terms of Use Violations
This practice is illegal under GDPR and PECR and also violates the terms of use of the public data sources involved. For instance, Companies House explicitly prohibits the use of its data for unsolicited marketing or speculative purposes. The information it provides is intended to ensure business transparency and accountability, not to facilitate invasive email generation practices or generate profits for these lead generation companies.
Similarly, LinkedIn prohibits scraping or harvesting user data under its terms of service. LinkedIn is a professional networking platform designed to connect individuals for career and business opportunities, not to enable speculative contact list creation. Misusing its data violates these agreements and can result in severe consequences.
LinkedIn has actively enforced its policies against unauthorized data scraping, most notably in the hiQ Labs case. In this legal battle, LinkedIn sued hiQ Labs for scraping data from public LinkedIn profiles to use in its own analytics products. The court case highlighted important issues regarding user privacy, data ownership, and contractual obligations under LinkedIn's terms of service.
Although the courts initially ruled that scraping public data did not violate the Computer Fraud and Abuse Act (CFAA), the case underscored LinkedIn's commitment to protecting user data and enforcing its terms of service. It also signalled to companies that even data accessible publicly is not free from contractual and legal restrictions when terms of service are violated.
These platforms make it clear that while their data may be accessible for legitimate purposes, using it to generate personal email addresses for unsolicited marketing crosses ethical, legal, and contractual boundaries. Companies engaging in such practices risk not only violating privacy laws but also facing significant legal repercussions or being barred from accessing these valuable data sources altogether.
Why This Practice is Illegal
The act of generating speculative email addresses by combining publicly available officer names (e.g., from Companies House) with domain names to create contact information for unsolicited marketing is illegal under both the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) due to the lack of consent and misuse of personal data.
GDPR Violations
Under the UK GDPR, email addresses that include a person's name (e.g., john.smith@business.com) are considered personal data because they identify a specific individual. Generating and using this type of speculative email address violates GDPR in several ways:
No Lawful Basis for Processing:
Processing personal data requires a lawful basis. Speculating email addresses does not meet GDPR's requirements for legitimate interests, because there is no verification that the email address is business‑related or valid.
The lack of explicit consent further invalidates this practice.
Breach of Transparency and Fairness:
The GDPR mandates that individuals must be informed about how their data is collected and used. Generating speculative email addresses inherently lacks transparency.
Pecr Violations
PECR governs electronic communications, which includes marketing emails. Sending unsolicited marketing emails to a generated personal email address breaches PECR because:
Unsolicited Marketing to Individuals:
PECR prohibits sending marketing emails to individuals without their prior consent.
Even if the email address appears business‑related, the presence of a name (e.g., john@domain.com) identifies an individual, making consent a legal requirement.
Applicability to Sole Traders and Partnerships:
Under PECR, stricter rules apply to sole traders and partnerships because they are still treated as individual subscribers. Marketing emails to these entities requires explicit prior consent, unless the "soft opt‑in" rule applies (i.e., an existing customer relationship exists and the marketing is related to similar goods or services).
This includes business‑like email addresses tied to sole traders, such as contact@johnkavanagh.co.uk or john@domain.com as they are directly linked to an individual.
Example Cases
Leave.eu and Eldon Insurance (2019)
The ICO fined Leave.EU and Eldon Insurance £120,000 for sending unsolicited marketing emails without the recipient's consent. The companies argued that their actions were legitimate business practices but failed to demonstrate compliance with PECR.
Read more about this case here.
Crdnn Limited (2020)
The ICO fined CRDNN £500,000 for sending millions of unsolicited marketing emails and texts using unlawfully obtained data. The case highlighted the importance of verifying data sources and obtaining explicit consent.
Read more about this case here.
Lead Generation Companies (2021)
In a broader investigation, the ICO fined multiple lead generation companies for creating and selling speculative personal data, including email addresses. These companies violated GDPR by failing to establish a lawful basis for processing.
Protecting Yourself from This Misuse
Unless you want to spend your days sifting through reams of emails containing irrelevant offers for services you just don't need, then it is important to take action if you suspect that your data has been misused.
The first step should always be to reply to the sender and ask them where they got your email address from. In my experience, there are only a handful of 'data' companies providing these email addresses to hundreds or thousands of clients.
Then, you can:
Report to the ICO:
File a complaint about the misuse of your personal data.Mark Emails as Spam:
Block or report emails from the offending companies.Contact the Company:
Request that they delete your data under GDPR's right to erasure.
Wrapping up
No matter what a company tells you when challenged about where it got your personal email address, using Companies House or other sources of public data to generate personal email addresses for marketing purposes is not just intrusive; it's illegal.
The GDPR protects individuals from precisely this type of speculative and unverified practice, whilst PECR ensures strict rules around unsolicited emails. Although businesses may claim legitimate interest, any lack of consent or reasonable expectations renders this practice non‑compliant. They will claim otherwise all the same.
As recipients, we have the right to push back, report violations, and demand better adherence to privacy laws.
Key Takeaways
- An email address that contains a person's name is personal data under GDPR.
- Legitimate interest does not justify speculative email generation.
- Generic addresses (e.g.,
info@...) are exempt but still governed by PECR. - Misusing public data, like Companies House information, is a breach of GDPR and is an explicit breach of Companies House terms and conditions, too.
If you are in any doubt about the source of the email addresses you are using in your marketing campaign, please just don't send the email at all.
Categories:
Related Articles
Using Vue's Suspense for Asynchronous Components. 
Ethical Web Development ‑ Part I. Ethical Web Development ‑ Part I
Where to Find Jobs in Web Development. Where to Find Jobs in Web Development
Ethical AI in Web Development: AI’s Impact on Developers and the Industry. Ethical AI in Web Development: AI's Impact on Developers and the Industry
Dev Match Ltd., James McConnell, and the Refund That Never Came. Dev Match Ltd., James McConnell, and the Refund That Never Came
Detecting and Dealing with Website Theft. Detecting and Dealing with Website Theft
A Beginner's Guide to Web Hosting. A Beginner's Guide to Web Hosting
Happy Holidays! Happy Holidays!
Using next/link for Client‑Side Navigation. Using
next/linkfor Client‑Side Navigation
Validating Parentheses Input Using TypeScript. Validating Parentheses Input Using TypeScript
Do Websites Need to Look the Same in Every Browser? Do Websites Need to Look the Same in Every Browser?
Margin Collapse in CSS. Margin Collapse in CSS
