Data-broker Verso has been ordered to cough up £80,000 after failing to tell people exactly what their info would be used for.
The fine is the first handed down by the UK Information Commissioner's Office as part of a wider investigation into the data-broking industry.
The Hertfordshire-based biz, which celebrates itself as the UK's premier lead generation provider, was found to have supplied data to firms that the ICO had investigated over nuisance calls.
One business, Prodial, was fined £350,000 by the ICO – a record at the time it was issued in February 2016 – for making 46 million nuisance calls.
These investigations led the watchdog to the door of Verso, which supplied the biz with large volumes of the personal data it used for the calls.
After asking Verso how it had obtained and supplied the data, the ICO was told that some was from other companies and websites, and some gathered by the firm itself.
On further investigation, the ICO found that Verso had failed to provide the data subjects with sufficiently specific information about which companies would see and use their data.
For instance, when Verso contacted people in the UK from overseas call centres, personal data was amassed by telling people it was for a survey, when they were "in fact lead generation calls", the ICO said.
Meanwhile, it gathered information from other businesses by buying packages of data – without ensuring that individuals had consented to their personal data being supplied to Verso, or for onward sales to other companies for direct marketing.
As such, the watchdog concluded that its activities "constituted serious contraventions" of data protection laws that were "systemic" and involving large volumes of personal data.
"This type of unlawful data trading directly fuels the nuisance call and spam text industry and creates misery for millions of UK citizens," said James Dipple-Johnstone, ICO deputy commissioner.
"Businesses need to understand they don't own personal data – people do and those people have the right to know what is happening to it and who is likely to be contacting them for marketing."
The ICO said its investigation into data broking was also looking at how credit reference agencies process personal data. The watchdog is in the process of probing the Equifax mega-breach. ®