Selling Personal Data: What You Need to Know Beforehand

We live in a world where the exchange of data happens every day. With millions of terabytes being transferred every minute, primary and secondary markets selling and exchanging data are increasing year on year. While selling data has been viewed negatively in the past due to infamous data breaches, such as the Cambridge Analytica and Facebook case, we now live in a new age of selling data with ever-increasing use cases.

Before answering questions such as whether your data was collected legally or which data brokers hold your data, we must first answer the question:

Is Selling Personal Data Illegal?

In short, no. However, selling personal data, such as personally identifiable information, comes with a lot of caveats. According to, there are three ways selling personal data can be allowed:

  1. You need to have a legal basis to process the personal data of a customer. Consent is the most frequently used legal grounds. Other legal grounds are the necessity for the performance of a contract, compliance with the law, or a legitimate interest.
  2. Personal data could be used only for the purposes for which the personal data were collected. You have to inform in the customers about the purposes of collection in advance.
  3. Customers have to have the right to withdraw their consent for selling their personal data at any moment. Nobody canceled the right to object and right to be forgotten.

Which Countries Have Laws Against Selling Data?

Different countries have different laws surrounding the sale of data. For this article we will focus the three areas of the UK, EU and the USA.

United Kingdom

In the UK laws are similar to the EU GDPR. The UK is currently regulated by the Data Protection Act 2018 which incorporates the EU GDPR and supplements its provisions.

The Data Protection Act 2018 focuses significantly on data subject rights, “special category” personal data, data protection fees, data protection offenses, consent from children and enforcement.

Check out the UK Data Protection Act for more detailed information.

European Union

The EU is covered by the GDPR founded in 2016. The Data Protection Act 2016 sets expectations for data controllers, processors and recipients regarding personal data.

This act explains that all data processing must be done fairly, lawfully and for legitimate purposes, and that only the minimum amount of data necessary is collected.

The Data Protection Act 2 also outlines several rights of data subjects, including the right to know the identity of the data controller, the purpose of the processing and their rights to collect or transfer the data.

United States

Currently, there is no single overarching data privacy legislation in the US. Instead, the country follows a sectoral approach to data privacy, relying on a patchwork of sector-specific laws and state laws.

In fact, the US relies on a “combination of legislation, regulation and self-regulation” rather than government intervention alone. There are approximately 20 industry- or sector-specific federal laws, and more than 100 privacy laws at the state level (in fact, there are 25 privacy-related laws in California alone).

The California Consumer Privacy Act (CCPA) gives residents of California four rights that give them more power over their personal data: right to notice, right to access, right to opt-in (or out), and right to equal services. Any organization that collects the personal data of California residents, not just businesses located in the state, must comply with CCPA.

If you want to find out more about how to comply with the CCPA here.

Was My Data Collected Legally?

It’s hard to know. Unless your data come directly from a breach, you can probably assume that this data was collected legally. However to find out the Government advises on the following:

  • Write to an organisation to ask for a copy of the information they hold about you.
  • If it’s a public organisation, write to their Data Protection Officer (DPO). Their details should be on the organisation’s privacy notice.
  • If the organisation has no DPO, or you do not know who to write to, address your letter to the company secretary.

What Is The Best Way to Sell My Data?

The best method is to go through a respected Marketplace such as Trovalo or Kaggle. Our data marketplace provides a comprehensive range of datasets for commercial  use all the way to open source free datasets.

Our on-boarding process for new data providers is extremely diligent and involves a full know-your-business check on the data providers including full documentation of how the data was collected. The most important thing here is that you as a user/buyer of data are fully aware of where the data has come from.

Want to check out our marketplace before committing? No problem!

Share this post