Privacy and Data Protection in UK Competitions: What Compers Actually Need to Know

▍Privacy and Data Protection in UK Competitions: What Compers Actually Need to Know

Every time you enter a UK prize draw you hand a brand or its agency a small bundle of personal data — usually your name, address and email, sometimes your date of birth, occasionally your phone number. Most of the time that's fine. The brand uses it to pick a winner, post the prize, and (if you ticked the right box) email you the odd marketing message.

The point of this guide isn't to make you paranoid. It's to make you the kind of comper who recognises the line between normal data handling and red flags, who knows their rights under UK GDPR without having to Google them, and who can stop a brand emailing them for the rest of their life with one polite request.

We'll cover the legal basics in plain English, the data brands legitimately need versus the asks that should make you close the tab, the six rights you have over your own data, how the ICO actually works as a regulator, the realities of third-party sub-processors (the agencies that handle most prize fulfilment), and the comping-email trick every UK comper uses to keep their main inbox sane.

▍The legal framework in 60 seconds: UK GDPR and the Data Protection Act 2018

For comping purposes the practical effect is:

• Any UK organisation that collects personal data is a data controller with legal duties.
• They must have a lawful basis to process your data (usually "consent", "contract" or "legitimate interests" for comping).
• They must collect only what they need (data minimisation) and not keep it forever (storage limitation).
• They must tell you, at the point of collection, what they're going to do with it (the privacy notice).
• You have a set of rights you can exercise at any time, free of charge in most circumstances.
• The Information Commissioner's Office (ICO) is the UK regulator that polices all of the above.

That's the entire framework you need to comp confidently. Everything else is detail.

▍What lawful basis does a competition actually use?

When you enter a prize draw, the brand needs a lawful basis to use your data. There are six in UK GDPR; comping mostly uses three of them, and it's worth knowing which is which because they give you different rights.

Contract ("performance of a contract")

When you submit an entry you and the brand effectively enter a mini-contract: you've agreed to the T&Cs and they've agreed that if you're picked, they'll fulfil the prize. They need your name and contact details to run the draw, notify the winner and ship the prize. That use of your data is contract basis — they don't need separate consent for it.

Consent

Marketing is different. If the brand wants to add you to its newsletter, send you offers, or pass your details to a partner brand for their marketing, that needs explicit consent. You opt in actively (an unticked box you tick), not passively (a pre-ticked box you have to untick).

This is the bit competition forms get wrong most often, and the bit you should read most carefully.

Legitimate interests

Some processing — fraud checks, internal analytics, retaining records to defend against a future legal claim — runs under legitimate interests. The brand has to show a genuine business need that doesn't override your rights. You can object to legitimate-interests processing, but you can't withhold it the way you can with consent.

If a brand emails you marketing and you didn't tick anything, they're either relying on the (narrow) "soft opt-in" rule under PECR (you've recently bought something similar) or they're in the wrong. For competitions, they're almost always in the wrong — winning a prize draw isn't a prior purchase.

▍What competitions legitimately need from you (and what they shouldn't)

The minimum a UK prize draw actually needs is short — and the asks that should make you close the tab are equally clear. Here's the side-by-side:

A legitimate UK promoter will only collect the data they actually need at the moment they need it. Address details at the claim stage rather than the entry stage is a good sign, not a bad one — it shows they're respecting data minimisation.

The rule of thumb: a brand collecting more than name, contact details and (for adult prizes) age is collecting data for marketing, profiling, list-resale or something worse. You're allowed to skip the comp.

▍Your six data subject rights as a comper

UK GDPR gives every person ("data subject") six rights over their own data. You can exercise all of them by emailing the brand's data protection contact, who must respond within one calendar month. You shouldn't be charged.

1. Right of access

You can ask any organisation that holds your data what they've got. This is called a subject access request (SAR). They have to give you a copy of your personal data, plus details of what they're using it for, who they share it with, and how long they'll keep it. One month to respond. No fee in most cases.

In practice you'd rarely SAR a competition promoter, but the right is there.

2. Right to rectification

You can have inaccurate data corrected. If a brand has your address wrong and your prize is going to the wrong house, this is the right that fixes it.

3. Right to erasure ("the right to be forgotten")

You can ask any organisation to delete your data. This is the one compers use most: "Please delete my data from your records" once a prize draw is over. The brand can refuse only if they have a legal reason to keep it (e.g. tax records of a winner) but for everyone else they should delete on request.

4. Right to restrict processing

A softer version of erasure — they keep the data but stop using it. Useful while a complaint is being investigated.

5. Right to object

You can object to your data being used for marketing at any time, and the brand must stop immediately. No reason needed. This is the right that powers the "unsubscribe" link.

6. Right to data portability

Where processing is by consent or contract and is automated, you can ask for your data in a machine-readable format so you can move it elsewhere. Rarely relevant to comping; mentioned for completeness.

There's also a right not to be subject to purely automated decisions, but it doesn't really apply to prize draws.

For the legal and ethical considerations of comping more broadly, including the line between consumer protection and gambling law, we've covered the wider legal framework elsewhere.

▍The ICO: how the UK regulator actually works

The Information Commissioner's Office (ICO, at ico.org.uk) is the UK's independent data protection regulator. They enforce UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR — the marketing-specific rules) and a few related laws.

For compers the ICO is useful in two ways:

As a complaints route

If a brand mishandles your data, ignores a deletion request, keeps emailing you marketing after you've unsubscribed, or fails to respond to a subject access request within one month, you can complain to the ICO online via their reporting form.

Before complaining you should normally:

1. Contact the brand's data protection team (often dpo@brand.co.uk or via their privacy policy).
2. Give them a reasonable chance to fix it — typically one month from your initial request.
3. Keep written evidence (screenshots, copies of emails).
4. Then escalate to the ICO if unresolved.

The ICO won't usually award you compensation — they're a regulator, not a small-claims court — but they can investigate, issue reprimands, and in serious cases fine the organisation. For individual compensation you'd go to court.

As a transparency source

The ICO publishes guidance, action plans and a register of enforcement notices and fines. Public companies that have suffered a breach are often listed. If you're unsure whether a particular brand has had data problems, the ICO's enforcement pages are the official source — much better than a Google search.

▍Records of Processing Activities (ROPA) — what big brands actually maintain

UK GDPR Article 30 requires most data controllers to maintain a Record of Processing Activities (ROPA): an internal document listing every type of personal data they process, why they process it, who they share it with, where it's stored, and how long they keep it.

You'll rarely see a ROPA — it's an internal document, not public — but it matters because:

• Any reputable brand running a national prize draw has one.
• If a brand can't tell you who their sub-processors are ("who actually handles my data once I enter your comp"), they're not maintaining a proper ROPA, which is itself a sign of weak data governance.
• When you make a subject access request, the brand uses the ROPA to find your data across all the places it's stored.

If you ever want to test how seriously a brand takes data protection, ask them — politely, in writing — what categories of third party will receive your data when you enter their competition. A serious brand will answer within a few days. A weak one will fudge.

▍Third-party sub-processors: the agencies behind the brand

Most UK competitions aren't run by the brand directly. They're run by promotional agencies on the brand's behalf. The agency builds the entry form, hosts the data, picks the winner, ships the prize and reports back. Your data sits on the agency's servers, not the brand's, even if everything is branded "Cadbury" or "M&S" front-end.

A non-exhaustive list of the kinds of third parties your data typically touches in a single competition:

• The promotional agency running the comp
• The email service provider sending the winner notification (often Mailchimp, Campaign Monitor or similar)
• A delivery courier handling the parcel (Royal Mail, DPD, Hermes, etc.)
• An identity verification service for big-ticket prizes (rare, but used for cars and holidays)
• The brand's CRM if you opted into marketing — your data is added to their list there
• A judging panel for skill comps — often the agency, sometimes external judges

UK GDPR requires the data controller (the brand) to have a data processing agreement (DPA) with each of these sub-processors. The privacy notice on the entry form should disclose at least the categories of recipient.

In practice this is fine — these third parties are all legitimate and well-regulated. The reason it matters for you is: when you ask for deletion, the brand should propagate that request down to the agency and its sub-processors. If it doesn't, your data lives on. Hence the importance of a real deletion request rather than just unsubscribing.

▍Marketing consent: the bit most compers get wrong

The single biggest practical privacy issue in comping isn't sinister data harvesting — it's an unintentionally ticked marketing box that floods your inbox for six months.

A few rules to internalise:

• Pre-ticked boxes are not valid consent under UK GDPR. They've been illegal for marketing since 2018. If a comp uses one, you can still untick it, but it tells you something about the brand's compliance culture.
• "Entry counts as consent" wording is not valid. Marketing consent must be separate from entry. A brand cannot lawfully say "by entering you agree to receive marketing" and then ignore your withdrawal.
• Marketing consent must be granular. "Yes I'd like to hear from Brand X" and "yes I'd like to hear from Brand X's carefully selected partners" should be two separate tick boxes, not one. The second one is the list-resale trapdoor that buries your inbox.
• You can withdraw consent at any time. Every marketing email must have a working unsubscribe link, and unsubscribing must be as easy as subscribing was (PECR Regulation 22).

If you're entering UK comps as a hobby — 20-30 a day per our comping for beginners guide — the cumulative marketing volume from ticking yes to even a quarter of those boxes is brutal. Two months in and you'll have several hundred newsletters a week. The fix is the comping email.

▍The comping email strategy: the single best privacy hack

Every serious UK comper uses a dedicated comping email address. It's a Gmail, Outlook or ProtonMail account you create specifically for competitions and use for nothing else. The setup takes ten minutes; the time it saves over a year is enormous.

Why a comping email matters

• Your real inbox stays clean. Bank statements, family emails and work mail don't get buried under "YOU'VE WON!" subject lines from brands you entered a comp with in March.
• Win emails are easy to spot. When the inbox is 99% competition-related, the winning email stands out instead of being lost in noise.
• Disposable consent. If the inbox gets overwhelmed, you can mass-unsubscribe in an afternoon — or in the nuclear scenario, abandon the address and create a new one. You haven't lost anything because no real correspondence lives there.
• A privacy buffer. Brands don't get your "real" email, so even if a brand suffers a data breach the leaked email isn't tied to your bank, your social accounts or your password reset flows.
• Better filtering. You can set up rules in Gmail/Outlook that auto-route obvious newsletter mail to a folder while keeping personalised emails (which is what wins look like) in the main inbox. The ultimate guide to comping walks through a sensible filter setup.

How to set one up properly

1. Create a new free account — Gmail (gmail.com) or Outlook.com both work. ProtonMail is fine if you want extra privacy.
2. Use a clean, professional username. firstname.surname.comps@gmail.com works well; winsalot1985@… looks like a bot account and can occasionally be flagged.
3. Set the display name to your real name. Brands match the entry to the email — if your form says "Sarah Jones" but the email is from "Win Queen", a careful promoter might reject.
4. Add a recovery phone or backup email. You don't want to lose access if you forget the password — that's a route to losing prizes you've already won.
5. Tell Sweepzy to use this address. If you've signed up for Sweepzy's competition tracker, set the same email here for consistency.

The comping email solves about 80% of practical privacy concerns in comping with no other action required.

▍Browser, cookies and tracking — the bits we usually skip

A few points that the privacy-policy section of a competition entry form will mention but most compers ignore:

• Cookies on the entry page track you across the brand's site for retargeting (those ads that follow you around). Setting your browser to block third-party cookies, or using a tracker-blocker extension, blunts this. It doesn't affect entry validity.
• IP address logging is universal and is used both to detect fraud (multiple entries from one IP) and as a minor data point. There's nothing to do about this; it's normal.
• Form-completion analytics (tools like Hotjar) sometimes record exactly what you typed and how. This is disclosed in better privacy policies. If a brand uses session-recording without disclosure, that's a real GDPR issue.
• Pixel tracking in winner emails lets a brand see when (and sometimes where) you opened their email. Again, normal — your email client can usually block remote images, which neutralises most pixel tracking.

None of this is a comping-specific problem. It's general web hygiene.

▍Social media competitions: the bit where "public" actually means public

Social competitions — Instagram, Facebook, TikTok, Threads — have a different privacy profile, and one a lot of compers don't think through.

When you enter a social comp, the promoter typically sees:

• Your public profile (name, bio, follower count, avatar)
• The comment, like or repost you made as your entry
• Any tags you added to friends
• Sometimes your DM history with the brand if you've messaged them

Things to keep in mind:

• A locked profile usually means a disqualified entry. The promoter can't verify you. Keep your profile public during active comps; lock it after wins land if you want.
• Tagging friends without their permission is a privacy issue for them. "Tag two friends in the comments" mechanics drag uninvolved people into a promotional context. Friends can object if they want.
• Old posts on your public timeline are visible to anyone reviewing your entry — including the promoter and other compers. Don't post things on a public-comping account you wouldn't want a stranger seeing.
• Hashtags you used in the entry are now permanent searchable history. Brand monitoring tools index them.

The practical advice: keep a separate social handle for serious comping if your real account contains anything personal. Lots of compers run a @yournamewins Instagram for this reason.

▍Putting it together: a comper's privacy checklist

If you take one thing from this article, take this list. Tick each box before you start entering comps in earnest:

1. Create a dedicated comping email and use it for every comp.
2. Use a strong, unique password on that email (and on Sweepzy, and on every comping-related account). Password manager strongly recommended.
3. Enable two-factor authentication on the comping email — it's the single most powerful defence against account takeover.
4. Set browser defaults to block third-party cookies and clear cookies regularly.
5. Read the marketing tick-boxes on every entry form. Untick by default unless you actively want emails from that brand.
6. Save the brand's data-protection email when you enter (it's in the privacy notice). Six months later when you want to be deleted, you'll have it.
7. For social comps, audit your public profile. Anything you wouldn't want a stranger seeing comes down.
8. Use a free competition tracker so you can see what you've entered, with whom, and when — useful for both win-tracking and "who do I need to deletion-request next?"
9. Never share your bank details, NI number, passwords, or copies of ID at the entry stage.
10. Know the ICO route if a brand misbehaves. Brand first, ICO if unresolved within a month.

▍When you actually win: what data the brand legitimately needs

A quick word on the post-win data ask, because winners sometimes panic when they're asked for more information after their win has been confirmed.

For a small prize (a hamper, a £25 voucher) the brand usually just needs your delivery address and you're done.

For a high-value prize (a car, a holiday, a TV, cash over £1,000) the brand often needs:

• Photo ID to verify you're who you said you were and over 18
• Proof of address (a utility bill or bank statement) for delivery and for fraud prevention
• A signed declaration that you've complied with the rules
• For cars and holidays: passport, driving licence, sometimes a credit check for vehicle insurance setup
• For cash prizes over a threshold: bank details for transfer

This is normal and you should comply. The key sanity check: the ask comes after you've been notified as a winner from the brand's legitimate email/account, not before. Real brands ID-check winners; they don't ID-check entrants. The what to do when you win a competition guide has a full claim-stage checklist.

▍When privacy genuinely goes wrong: example scenarios

Three common things that actually happen and what to do.

You win a comp, then start getting marketing emails from brands you've never entered. Your data has likely been passed to a partner without proper granular consent. Reply asking to be removed, request deletion, save the evidence. If they ignore, ICO complaint route.

You ask a brand to delete your data and three months later you get a marketing email from them. They didn't propagate the request to their CRM. Reply with a copy of the original deletion request, give them 14 days, then escalate to the ICO.

A brand suffers a data breach and your comping email turns up on a "have I been pwned" check. Reset your comping email password immediately, enable 2FA if not already on, review any other accounts using the same email. Because it's a comping-only address with no banking or personal correspondence, the practical exposure is limited — this is exactly why the dedicated email matters.

For the financial side of winning (tax, declarations, business resale rules) see the competition tax and legal guide for UK winners.

▍A note on Sweepzy's own data handling

Since we're a UK competition tracker that holds your entries and contact details, we'll be transparent about our own footprint: we're UK-based, fully UK GDPR compliant, we keep only what we need to run the tracker, and you can delete your account and all associated data at any time from your profile settings. Our full privacy notice explains exactly what we collect, why, and who (if anyone) we share it with — short answer: we don't sell your data to anyone, ever.

If you want to start tracking your entries with a service that takes the comping-privacy stuff seriously, you can create a free Sweepzy account and use the tracker without giving us your real-name email if you don't want to — we accept any address.

▍Conclusion

Privacy in UK comping isn't about avoiding all data sharing — that would mean not entering competitions. It's about understanding the trade you're making, recognising what's normal versus what's a red flag, and using the small set of tools (comping email, deletion requests, ICO complaint route) that UK law puts in your hands.

Do the ten things on the privacy checklist above and you've solved 95% of the problem. The remaining 5% — the bad-actor brand that resells your data despite your unsubscribe, the agency that hangs onto your details after a deletion request — is what the ICO is there to handle. Use them when needed.

Comp confidently. Read the marketing boxes. Keep the comping email clean.

Related reading:

• Competition scams: how to stay safe in UK comping
• Legal and ethical considerations in comping
• Why your competition entries are invalid (and how to fix it)
• Competition tax and legal: the UK winner's guide
• Free vs paid entry competitions in the UK
• Understanding competition rules and terms