Skip to main content

Half of major UK websites breach EU data protection law and create 'spam', says study

Contact the Brunel MBA team| Brunel Business School

Around half of the UK’s most popular consumer websites are using customers’ information to generate spam emails, in breach of data protection legislation, new research has found.

Researchers from Brunel University in London and from the University of Reading found that 48 out of 100 most popular websites use personal information to send out commercial emails, even when customers have expressly refused to give their consent.

Only one out of six websites has in place a system of requesting customer’s consent which is compliant with EU standards on data protection. The EU standards say that a website wanting to use personal information for commercial emails must ask customers to opt in, for instance by ticking a box requesting further communication, rather than expecting them to opt out.

The researchers, Dr Maurizio Borghi and Dr Federico Ferretti from Brunel and Dr Stavroula Karapapa from Reading, also found evidence that sites collect personal information that is not relevant for the completion of the contract between them and the customers, and that they frequently transfer these data to third parties for direct marketing purposes.

“We were surprised to find that a large number of popular UK websites do not have a system that complies with EU data protection,” said Dr Borghi. “We don’t think that this is because they are deliberately flouting the law. It is more likely that they just don’t know what it says.”

Under EU legislation data protection is a fundamental right, but, said Dr Ferretti: “It seems that the law isn’t being implemented or supervised to an acceptable standard in the UK. Our research suggests that there is a link between this more relaxed approach towards data protection and the unlawful processing of personal data, such as unsolicited commercial emails, or even profiling.”

Dr Karapapa added: “Ticking a box is not a trivial matter. When registering to watch a movie or to buy a train ticket, or to go to the theatre, we have to provide data to complete the transaction. It is a legal requirement that the use of this information should not exceed what we have consented to. Our survey indicates that this requirement is not being respected”.

The researchers, a team of academics and students at Brunel Law School, collected their data in 2011–2012 by registering with a sample of top consumer websites using assumed identities with valid email accounts, addresses and mobile phone numbers. Special software was created to monitor unsolicited emails sent to all the accounts.

Notes to Editors

The study, “Online data processing consent under EU law. A theoretical framework and empirical evidence from the UK” will be published in the April edition of the International Journal of Law and Information Technology, by Oxford University Press.

For further information, contact the Brunel University Press Office: 01895 265585,; or Hannah Murray at Communications Management: 01727 850761,; or Pete Castle, University of Reading Press Office, Media and PR Officer: 0118 378 7391,

For a copy of the article, contact Kirsty Doole, Publicity Manager, Oxford Journals:, tel 01865 355439 or 07557 163 098.

View the abstract

See further details on the Data Protection Directive, see Wikipedia and the UK Information Commissioner's Office