Generating Email Addresses from Public Data is Illegal

This is something that I've been meaning to write about for a while. A recent update from the ICO about a complaint I have submitted about this very subject, combined with a little downtime around the holidays, means that I've finally found time to write it all down.

In the second half of last year, I very suddenly started receiving a growing number of spam emails targeting a personal email address that I have hosted under one of my business domain names and had never used or shared. This sudden influx of uninvited spam was coming from reputable brands that you would recognise, such as Vitality and Expedia (amongst others).

These are brands that should know better than to send out unsolicited spam emails to non‑subscribers. I had no relationship with these companies and had never agreed to receive emails from them, and yet, here these emails were arriving ‑ uninvited ‑ in my inbox in their tens each day, taking time out of my day and interrupting my workflow.

How Was It Happening?

As you may know, I'm the director of two companies: PixelCounter Ltd. (which I began the process of striking off at the end of last year) and Kavanagh Digital. Both of these companies have websites, and both have a readily available business email address posted on them:

So, it would not be unreasonable to say that if a business legitimately wanted to reach my business in a B2B capacity, then there is a very easily accessible route to doing so by using the email address on the business website, which invites precisely that type of communication.

What I was receiving ‑ though ‑ was spam targeted much closer to me personally: sent to email addresses formatted with my name in them (john@domain.com, and john.kavanagh@domain.com for example). These are private email addresses: never shared nor published online and never used for public or business purposes. There was no legitimate way that these companies could possibly have these email addresses, never mind the fact that ‑ even then ‑ they don't have permission to use them for marketing anyway.

The Role of B2b Data

Many lead generation companies create and sell what they label as "valid" and "compliant" business data, including email addresses. They generate this data by scraping publicly available information ‑ reportedly from Companies House, amongst others ‑ to obtain company officer names and then attempt to combine those with guessed email address patterns (e.g., john.smith@company.com, or johnsmith@company.com, or jsmith@company.com, or john@company.com). They will call this process things like 'proprietary lead generation', because it sounds better than 'made it up by matching patterns and hoping for the best'.

In reality, this is pattern matching rather than sourcing: they are guessing possible addresses and treating any successful match as usable data. It is nothing more than sheer dumb luck that they are able to generate and find valid email addresses at all.

This practice is not just intrusive; it is illegal under GDPR and the Privacy and Electronic Communications Regulations (PECR) and is neither 'valid' nor 'compliant'. These email addresses are not sourced from public records; they are generated using a combination of public data and pure speculation. Passing these onto third parties (or using them on behalf of those third parties) constitutes unauthorised disclosure of personal data, as the generated email addresses include personal data (a person's name) that was never intended to be used for unsolicited marketing and was not shared for this purpose.

The companies argue that using public data means there is no breach. However, the generation of email addresses by combining names with domain patterns to create speculative personal data goes beyond the lawful use of public data. It is neither a legitimate nor authorised use of personal information, even if parts of the data originate from public sources like Companies House or LinkedIn.

Furthermore, under GDPR, organisations cannot justify their actions simply by referencing the public nature of the original data source. The ICO has been clear that personal data remains protected under GDPR even when derived or combined with public information, particularly if the processing leads to unsolicited marketing, as this breaches an individual's reasonable expectation of privacy.

These speculative, generated email addresses are not verified, and there's no certainty that they belong to business accounts rather than personal ones. In the case of Growthonics (apparently now Quantanite), Seed Data Solutions, InFynd, Acquirz, Red Flag Alert, and Go Data (also trading as Go Live Data), who were responsible for more than forty spam emails a day arriving in my unverified, unconsenting, private email inbox, they "generated" my valid ‑ but personal ‑ email address and sold it on to third parties without my consent..

This constitutes unauthorised processing and disclosure of personal data, because the information was not provided by me for marketing purposes and was not obtained through a transparent process capable of supporting lawful marketing use.

Companies that buy and use this data for marketing purposes, trusting the promises that these data generation companies make, often unknowingly violate GDPR and PECR, exposing themselves to legal penalties. The responsibility for ensuring compliance lies not just with the data vendors but also with the businesses using this information.

In the cases of the companies I named above, they have all received fines or are in the process of being investigated for exactly this practice.

Why an Email Address with a Name is Personal Data

Under UK GDPR, personal data is defined as:

“

Any information relating to an identified or identifiable natural person.

An email address that includes a person's name (e.g., john.kavanagh@businessname.com or even just john@businessname.com) clearly identifies an individual. This is covered under Article 4(1), UK GDPR: Definitions of Personal Data, which makes the definition I've quoted above.

Even in a business context, this is still personal data and needs to be handled as such:

• It relates directly to a natural person, not the business entity.
• It can be used to contact or infer information about that person.

This is true even if the email address is generated from public data, regardless of whether it is subsequently verified.

The ICO Guidance on Personal Data covers this in great detail, including a specific section dedicated to the classification of email addresses that include personal names ‑ even in a business setting.

Why 'Legitimate Interest' Does Not Apply

Whilst attempting to track down the sources of this spam, one thing I was constantly told was that using this personal email address was allowed because they claimed legitimate interest as a lawful basis for processing data. However, legitimate interest has strict requirements:

1. Purpose Test:

   The purpose must be lawful, specific, and justified.

2. Necessity Test:

   The processing must be necessary to achieve the purpose (e.g., no less intrusive alternative exists).

3. Balancing Test:

   The individual's rights and freedoms must not be overridden by the organisation's interest.

Why It Fails in This Context

• Unverified Data:

  Generating email addresses based on guesses is speculative and not "necessary" for any purpose.

• Privacy Expectation:

  An individual with a private, unpublished email address would not reasonably expect to be contacted in this way.

• Risk of Misuse:

  Generated addresses might be incorrect or personal, leading to violations of GDPR and PECR.

The crux of this matter is that sending unsolicited emails to made‑up, personal email addresses without explicit consent or a robust justification breaches both GDPR and PECR.

Why Generic Email Addresses are Different

It's worth briefly discussing 'generic' email addresses here because they aren't the same. Generic email addresses like mail@businessname.com or info@businessname.com aren't tied to a specific individual and therefore are not personal data. These addresses are associated with the business entity rather than any natural person. This means:

• They do not fall under GDPR's personal data rules.
• Marketing communications to these addresses are generally governed by PECR's electronic mail marketing rules, which treat corporate subscribers differently from individual subscribers.

However, even when targeting generic addresses, companies must:

• Avoid misleading practices (e.g., pretending to have an existing relationship).
• Provide clear opt‑out mechanisms in all communications.

When a Generic Email Address is Still Personal Data

There is, however, an exception to this, and one which it is virtually impossible for these automatic email generators to catch.

Under GDPR, the entire address must be considered when it comes to personally identifiable information. So ‑ for example ‑ my email address is mail@johnkavanagh.co.uk. This contains my name, which can be used to directly identify me as an individual.

So, even though it starts with 'mail', which would make it a generic email address, it's still personal data and cannot be processed without explicit consent.

So, even though it starts with 'mail', which might make it look like a generic email address, it is still personal data and cannot be processed for marketing unless there is a valid lawful basis and the sender also complies with PECR. In practice, compliance with PECR is very difficult to justify when the address has been speculatively generated rather than obtained from a known, transparent source.

This means that in order to attempt to use a generated email address in your B2B marketing, you have to manually check and verify every single one of them individually before emailing them. Otherwise, you are likely to find yourself processing personal data in an unlawful way.

One very abrasive data company I spoke to about this spent months arguing this point (having sold my email address to countless other companies). They eventually lost that argument.

The Role of Companies House Data in This Practice

The Companies House register is a public database containing information about companies and their officers (e.g., directors), published as required by law. It is important to note that Companies House does not store companies' email addresses, nor their domain names.

Whilst it is perfectly legal to access this data, misusing it ‑ such as using it to generate speculative email addresses ‑ is a breach of GDPR if:

• The data is used to target individuals without consent (and every company officer is an individual).
• The individual's reasonable expectation of privacy is disregarded.

Using Companies House data for legitimate business correspondence is permissible, but creating personal email addresses from this data crosses the line into illegality.

Misuse of Public Data and Terms of Use Violations

This practice is illegal under GDPR and PECR and also violates the terms of use of the public data sources involved. For instance, Companies House explicitly prohibits the use of its data for unsolicited marketing or speculative purposes. The information it provides is intended to ensure business transparency and accountability, not to facilitate invasive email generation practices or generate profits for these lead generation companies.

Similarly, LinkedIn prohibits scraping or harvesting user data under its terms of service. LinkedIn is a professional networking platform designed to connect individuals for career and business opportunities, not to enable speculative contact list creation. Misusing its data violates these agreements and can result in severe consequences.

LinkedIn has actively enforced its policies against unauthorized data scraping, most notably in the hiQ Labs case. In this legal battle, LinkedIn sued hiQ Labs for scraping data from public LinkedIn profiles to use in its own analytics products. The court case highlighted important issues regarding user privacy, data ownership, and contractual obligations under LinkedIn's terms of service.

Although the courts initially ruled that scraping public data did not violate the Computer Fraud and Abuse Act (CFAA), the case underscored LinkedIn's commitment to protecting user data and enforcing its terms of service. It also signalled to companies that even data accessible publicly is not free from contractual and legal restrictions when terms of service are violated.

These platforms make it clear that while their data may be accessible for legitimate purposes, using it to generate personal email addresses for unsolicited marketing crosses ethical, legal, and contractual boundaries. Companies engaging in such practices risk not only violating privacy laws but also facing significant legal repercussions or being barred from accessing these valuable data sources altogether.

Why This Practice is Illegal

The act of generating speculative email addresses by combining publicly available officer names (e.g., from Companies House) with domain names to create contact information for unsolicited marketing is illegal under both the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) due to the lack of consent and misuse of personal data.

GDPR Violations

Under the UK GDPR, email addresses that include a person's name (e.g., john.smith@business.com) are considered personal data because they identify a specific individual. Generating and using this type of speculative email address violates GDPR in several ways:

No Lawful Basis for Processing:

Processing personal data requires a lawful basis. Speculating email addresses does not meet the ICO's guidance on legitimate interests, because there is no verification that the email address is business‑related, valid, expected, or necessary for the stated purpose.

Where PECR requires consent, the absence of that explicit consent further invalidates the practice.

Breach of Transparency and Fairness:

The UK GDPR requires personal data to be processed lawfully, fairly, and transparently. Generating speculative email addresses inherently lacks transparency because the individual has not been clearly told that their name and a company domain may be combined to create a new contact address for marketing.

Pecr Violations

PECR governs electronic communications, which includes marketing emails. Sending unsolicited marketing emails to a generated personal email address breaches PECR because:

Unsolicited Marketing to Individuals:

PECR's electronic mail marketing rules prohibit sending unsolicited marketing emails to individual subscribers without prior consent, unless a narrow soft opt‑in applies.

Even if the email address appears business‑related, the presence of a name (e.g., john@domain.com) identifies an individual, making consent a legal requirement.

Applicability to Sole Traders and Partnerships:

Under PECR, stricter rules apply to sole traders and partnerships because they are still treated as individual subscribers. Marketing emails to these entities requires explicit prior consent, unless the "soft opt‑in" rule applies (i.e., an existing customer relationship exists and the marketing is related to similar goods or services).

This includes business‑like email addresses tied to sole traders, such as contact@johnkavanagh.co.uk or john@domain.com as they are directly linked to an individual.

Example Cases

Leave.eu and Eldon Insurance (2019)

The ICO fined Leave.EU and Eldon Insurance £120,000 for sending unsolicited marketing emails without the recipient's consent. The companies argued that their actions were legitimate business practices but failed to demonstrate compliance with PECR.

Read more about this case here.

Crdnn Limited (2020)

The ICO fined CRDNN £500,000 for unlawful direct marketing activity and later referenced the case in its published work on recovering unpaid fines. The original penalty notice URL previously linked from this article is no longer live, but the ICO still lists CRDNN in its fine‑recovery material.

Lead Generation Companies (2021)

In a broader investigation, the ICO fined multiple lead generation companies for creating and selling speculative personal data, including email addresses. These companies violated GDPR by failing to establish a lawful basis for processing.

Protecting Yourself from This Misuse

Unless you want to spend your days sifting through reams of emails containing irrelevant offers for services you just don't need, then it is important to take action if you suspect that your data has been misused.

Where the sender appears to be a real business rather than a scammer, the first step is to ask where they got your email address from. In my experience, there are only a handful of 'data' companies providing these email addresses to hundreds or thousands of clients.

Then, you can:

• Report to the ICO:

  File a complaint about the misuse of your personal data.

• Mark Emails as Spam:

  Block or report emails from the offending companies.

• Contact the Company:

  Request that they delete your data under GDPR's right to erasure.

Wrapping Up

No matter what a company tells you when challenged about where it got your personal email address, using Companies House or other sources of public data to generate personal email addresses for marketing purposes is not just intrusive; it's illegal.

The GDPR protects individuals from precisely this type of speculative and unverified practice, whilst PECR ensures strict rules around unsolicited emails. Although businesses may claim legitimate interest, any lack of consent or reasonable expectations renders this practice non‑compliant. They will claim otherwise all the same.

As recipients, we have the right to push back, report violations, and demand better adherence to privacy laws.

Key Takeaways

• An email address that contains a person's name is personal data under GDPR.
• Legitimate interest does not justify speculative email generation.
• Generic addresses (e.g., info@...) are exempt but still governed by PECR.
• Misusing public data, like Companies House information, is a breach of GDPR and is an explicit breach of Companies House terms and conditions, too.

If you are in any doubt about the source of the email addresses you are using in your marketing campaign, please just don't send the email at all.