The ICO emphasises the requirements for consent, which must be “specific and informed”. It clarifies that consent for purchased “consented” data is valid only if the purchaser is identified at the time the data is collected (i.e., when consent is given). Therefore, EML could not have lawfully purchased the data based on valid consent, as it was not identified as a potential buyer to individuals. The use of these deceptive patterns meant that individuals were not fully aware of the nature of the data collection and how their personal data would be used for marketing purposes. This violated several provisions of data protection regulations, including Article 5(1)(a) of the GDPR, which requires that personal data shall be processed lawfully, fairly and transparently.