ID resolution is broken in the UK. Here’s why, and what actually works.

ID resolution is one of the most valuable capabilities in modern marketing. It is also one of the most legally complex in the UK. Understanding the difference between a compliant solution and an exposed one could save you a significant regulatory headache.

→

What is ID resolution?

When someone visits your website, all you receive by default is a browser session: an IP address, a device fingerprint, and perhaps a cookie. You do not know who they are. ID resolution is the process of matching that anonymous signal to a real-world identity: typically a name, an email address, or a user profile.

In practice, this is done by comparing the anonymous visitor signal against a shared identity graph: a large database of device and identity associations built from logins, purchases, form fills, and other data collection events across many websites and apps. If a match is found, the visitor can be contacted directly.

Visitor arrives

Browser signal (IP, user agent, cookie) is captured by a pixel

Signal is matched

Signal is compared against an identity graph built across many sites and platforms

Identity resolved

An email address or profile is returned to the publisher or advertiser

Email is sent

A triggered or retargeted message is sent to the now-identified visitor

→

Why GDPR makes this legally complex in the UK

The United States has no single federal privacy law governing email marketing. The CAN-SPAM Act permits email to strangers provided you offer a way to opt out, so US-built identity resolution products are engineered around an opt-out model. You can contact people unless they ask you to stop.

The UK operates under a fundamentally different legal model. UK GDPR, retained in UK law post-Brexit, requires an opt-in. You cannot contact someone by email for direct marketing purposes unless they have explicitly consented. That consent must be freely given, specific, informed, and unambiguous.

UK GDPR Art. 6

Lawful basis required

All personal data processing must have a lawful basis. Consent is the only reliable basis for direct email marketing to consumers.

UK GDPR Art. 7

Conditions for consent

Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes or blanket acceptance do not qualify.

PECR Reg. 22

Electronic marketing

PECR prohibits unsolicited direct marketing emails unless the recipient has given prior consent. This overrides GDPR’s balancing tests.

ICO Guidance

Third-party consent invalid

Consent given to one organisation does not automatically allow a different organisation to use that data for its own marketing.

→

The opt-in ownership problem

When a US identity resolution provider resolves a UK site visitor to an email address, the resulting address almost certainly carries consent that was originally granted to a different organisation: perhaps a retailer, a comparison site, or an app the user registered with years ago.

Even if the original consent was broad, such as “I agree to receive marketing from selected partners”, the ICO has consistently held this is insufficient. The consumer agreed to something vague, not to being identified as a visitor to a particular website and emailed by a brand they have never interacted with.

The core legal conflict

US identity resolution products identify a site visitor and send them an email using an address harvested from third-party data. The visitor never consented to receive email from that brand. The brand does not own the opt-in. Under UK GDPR and PECR, this is almost certainly unlawful, regardless of how the vendor describes their compliance posture.

Status	Practice
Unlawful	Sending email using an address resolved from a third-party identity graph, where the opt-in was given to a different organisation.
Unlawful	Using “legitimate interests” as a basis for unsolicited direct email marketing. PECR requires explicit consent, not a balancing test.
At risk	Claiming broad “partner” consent as a lawful basis. The ICO actively investigates consent chains and has issued significant fines for this.
At risk	Relying on US-built solutions that apply opt-out logic to UK users. This is a systemic compliance failure, not a configuration issue.
Compliant	Using ID resolution to identify visitors and serve on-site personalisation or paid media targeting, where a valid consent layer is in place.
Compliant	Emailing visitors where the data partner holds direct, specific, auditable first-party consent, and sends under their own identity.

→

Why US products don’t work in the UK

Products like Retention.com, SafeOpt and Opensend were designed for a market where contacting someone is presumptively permitted. They are not designed for GDPR compliance at the consent-chain level, and no configuration or contractual arrangement changes that fundamental structural fact.

US / Typical approach	UK GDPR requirement
Opt-out model Email is permitted by default. Products maximise reach with suppression lists to honour opt-outs. Identity graphs are built at scale without granular consent.	Opt-in model Email requires explicit, specific, prior consent. No contact is permitted unless consent was directly given to the sending organisation for this specific purpose.

The “GDPR compliant” mislabel

Many vendors say their platform is “GDPR compliant” because they have signed data processing agreements and store data in the EU. This does not mean the email marketing use case is lawful. Those are entirely separate questions.

Ask your vendor: Who owns the opt-in on the email addresses you return? Can you demonstrate that consent was given specifically to my organisation, for my marketing?

→

What a compliant solution looks like

Not every identity resolution product in the UK market has the same exposure. Some have been built specifically to address the consent ownership problem. The structural difference comes down to four tests:

01 First-party opt-in The data partner holds direct consent from the consumer, with no chain passed through intermediaries. The consumer opted in to the data partner’s own platform.	02 Transparent brand list At the point of opt-in, the consumer can see the specific brands covered, not a vague reference to “partners.” The list is published, current, and linked at consent.
03 Sends under own identity The email is sent by the data partner under their own name and domain, not on behalf of a brand the consumer has no relationship with.	04 Auditable consent records The partner can demonstrate when, where, and how consent was collected for any individual. If the ICO asks, there is a clear and documented answer.

The consent transparency test

Ask any identity resolution vendor: “At the point of opt-in, can the consumer see the specific brands covered by their consent, and is that list kept current?”

If the answer is no, or qualified, the consent is unlikely to satisfy the ICO’s specificity requirement. No amount of data processing infrastructure makes up for that gap.

→

How Optivo is built differently

Optivo, powered by esbconnect, is built specifically for the UK regulatory environment. Rather than passing consumer data to a brand’s CRM (which creates a processing liability), Optivo identifies the visitor and sends the triggered email directly, using esbconnect’s own infrastructure and identity. The brand does not receive the consumer’s personal data unless the consumer explicitly opts in by clicking through.

The consent model underpinning this is esbconnect’s directly owned database of opted-in UK consumers. Every brand covered by that consent is listed publicly on esbconnect’s privacy and compliance hub, Opt Me In, and every opt-in includes a direct link to that list. The consent record is fully auditable. This satisfies all four of the tests above.

First-party consent

Consumer opts in via esbconnect’s own platform, with the full brand list visible at point of consent

Identity anchored

The opt-in is tied to a device and browser signal, enabling future recognition when that person visits a client site

Visitor matched

When the consumer visits anonymously, Optivo’s pixel matches them to the consented record in real time

Email is lawful

esbconnect sends under its own identity. The consent chain is clean, specific, and fully auditable

→

Ready to see Optivo in action?

Most identity resolution products sold to UK brands were not built for UK law. The compliance exposure from using them for email retargeting is real, and the ICO is actively focused on this area of the market.

Optivo is built specifically for the UK: compliant consent infrastructure, net-new audience reach, and live within days.

Request a Demo

Frequently Asked Questions

Is ID resolution illegal in the UK?

No. ID resolution itself is not illegal. The legal question is what you do with a resolved identity. Using it to serve on-site personalisation or activate paid media targeting may have a valid lawful basis. Using it to send unsolicited email to someone who has never consented to hear from you is where the legal exposure arises under PECR.

Can I use legitimate interests as a basis for email retargeting?

No, not for email marketing. Legitimate interests is a valid lawful basis under UK GDPR for some types of processing, but PECR Regulation 22 operates separately and requires explicit prior consent for direct electronic marketing to individuals. PECR overrides the GDPR lawful basis analysis for email specifically.

What does “GDPR compliant” actually mean when a vendor says it?

It typically means the vendor has signed standard contractual clauses and stores data within compliant jurisdictions. These are necessary but not sufficient. They do not address whether the underlying consent for the email addresses they supply is specific enough to support a direct email send to someone with no prior relationship with your brand.

How is Optivo different from US identity resolution products?

The fundamental difference is in how consent is structured. US products resolve visitors to email addresses from third-party graphs where the original opt-in was given to a different organisation. Optivo activates against esbconnect’s directly owned UK consumer database, where consent was given to esbconnect specifically, and sending is done under esbconnect’s identity.

Can Optivo reach people who have never heard of my brand?

Yes, and this is the core commercial difference. Because Optivo draws from esbconnect’s database of opted-in UK consumers, it can reach people who have visited your site but have no prior relationship with your brand. US platforms operating in the UK are typically constrained to re-engaging people already in your CRM. Optivo extends your reach to genuinely net-new UK consumers compliantly.

Want to keep on top of all things from Optivo, including news, thought pieces, white papers, and product releases?