If you run a mid-market retail business in the UK and want to unify your customer data across ecommerce, email, in-store, and paid media — you need a customer data platform. The problem is not choosing one. The problem is that the moment you start collecting, merging, and activating customer profiles, you are operating under two overlapping regulatory frameworks: UK GDPR for personal data processing and PECR for electronic marketing communications. Get either one wrong and the ICO can now fine you up to £17.5 million or 4 per cent of global turnover, whichever is higher. This guide explains how to build a CDP that works commercially without creating a compliance liability.
What a Customer Data Platform Actually Does
A CDP collects first-party customer data from every touchpoint — website visits, email clicks, purchase transactions, loyalty programme activity, customer service interactions — and stitches it together into a single profile per person. That unified profile then feeds personalisation engines, email marketing, paid media targeting, and analytics dashboards.
This is different from a CRM, which stores relationship data entered by sales teams, and different from a data warehouse, which stores raw data for analysts to query. A CDP sits between the two: it ingests data automatically, resolves identities across channels, and makes unified profiles available to marketing tools in real time.
For a UK mid-market retailer doing £10 million to £100 million in revenue, the business case is straightforward. You already have customer data in Shopify or Magento, in Mailchimp or Klaviyo, in Google Analytics, and probably in a loyalty database that someone built in Access in 2019. A CDP connects those sources so that when a customer buys in-store and then browses online, you recognise them as the same person and market to them accordingly.
The Regulatory Terrain You Cannot Ignore
Before selecting a platform, you need to understand the rules you are working under. UK retailers building CDPs face two distinct legal frameworks, and they interact in ways that catch people out.
UK GDPR governs how you collect, store, and process personal data. It requires a lawful basis for processing (consent, legitimate interest, or contractual necessity), data minimisation, purpose limitation, and the ability to respond to data subject access requests within one month.
PECR (Privacy and Electronic Communications Regulations 2003) governs electronic marketing specifically. PECR sits alongside UK GDPR and takes precedence where it applies. The critical rule: you cannot send direct marketing by email, text, or automated call to an individual without their prior consent, unless they are an existing customer and the marketing relates to similar products or services they previously bought from you. This is the soft opt-in, and it is narrower than people think.
Since August 2025, PECR penalties have been aligned with UK GDPR levels. This means the ICO can issue fines of up to £17.5 million for PECR breaches — a tenfold increase from the previous £500,000 cap. The ICO has stated that direct marketing enforcement is a priority for 2025-26, and the national compliance check programme expanded to cover the UK's top 1,000 websites in January 2025.
The practical consequence for CDP projects: every data flow that feeds a marketing channel must have a documented lawful basis, and consent records must be granular enough to prove compliance at the individual level.
Three Platforms Worth Considering
CDP Platform Capability Comparison (Scored 1-5)
Subjective scoring of Segment, HubSpot, and Bloomreach across five criteria relevant to UK mid-market retailers.
Source: CTC Editorial assessment 2026
The UK mid-market CDP space has consolidated around a handful of serious options. Here are three that represent different approaches.
Twilio Segment is the dominant CDP globally and the platform that defined the category. Segment collects events from websites, mobile apps, and servers via a lightweight JavaScript SDK or server-side libraries, resolves identities, and routes unified profiles to downstream tools — email platforms, ad networks, analytics, data warehouses. Segment does not itself send emails or run campaigns; it is plumbing, not a marketing tool. For UK mid-market retailers, Segment's CDP plans start at custom pricing typically in the range of £25,000 to £80,000 per year depending on monthly tracked user volume. The advantage is flexibility: Segment connects to over 400 destinations. The disadvantage is that you still need separate tools for activation, and the total cost of Segment plus Klaviyo plus a data warehouse adds up quickly.
HubSpot is not a traditional CDP, but its 2025 launch of Data Hub and Data Studio has moved it closer to CDP functionality. HubSpot now connects to external data warehouses (Snowflake, BigQuery), offers identity resolution through its contact deduplication engine, and provides a Quality Command Centre for data standardisation. For mid-market retailers already using HubSpot Marketing Hub Professional (£780 per month for 3 seats and 2,000 marketing contacts in the UK), the CDP-adjacent features come at a lower incremental cost than deploying Segment from scratch. The trade-off: HubSpot's identity resolution is less sophisticated than Segment's, and its real-time event streaming is limited compared to a purpose-built CDP.
Bloomreach is an ecommerce-native CDP that combines customer data unification with built-in personalisation, product recommendations, and marketing automation. For UK mid-market retailers, this is the platform where CDP and activation live in the same product — you do not need to bolt on a separate email tool. Pricing is usage-based, typically starting at £35,000 to £60,000 per year for mid-market deployments. Bloomreach stores European customer data in EU data centres, and its ecommerce focus means product catalogue data, browsing behaviour, and purchase history are first-class citizens in the data model rather than afterthoughts.
PECR Consent: Where CDP Projects Go Wrong
The single biggest compliance failure in UK retail CDP projects is consent management. Here is what goes wrong and how to prevent it.
Conflating UK GDPR consent with PECR consent. They are different things. UK GDPR consent is one of six lawful bases for processing personal data. PECR consent is a specific, prior permission to receive electronic marketing communications. You can have UK GDPR legitimate interest as your lawful basis for holding someone's purchase history in a CDP, but you still cannot email them a promotional offer without separate PECR consent — unless the soft opt-in applies.
Misapplying the soft opt-in. The soft opt-in under PECR Regulation 22(3) allows you to send marketing emails to existing customers without explicit consent, but only if: they gave you their email address during a sale or negotiation of a sale, the marketing relates to similar products or services, and you gave them a clear opportunity to opt out at the point of collection and in every subsequent message. A CDP that imports email addresses from an old loyalty database and starts sending promotional campaigns is almost certainly breaching PECR, because the original collection point likely did not meet all three conditions.
Failing to record consent granularly. A CDP must store not just whether someone consented, but when, how, what they were told, and what specific channels and purposes they consented to. The ICO expects organisations to demonstrate consent at the individual level. A checkbox that says "I agree to receive marketing" is too vague. You need separate records for email, SMS, phone, and post, with timestamps and the exact wording shown at the point of consent.
Ignoring the right to object. Under both UK GDPR and PECR, individuals can withdraw consent or object to direct marketing at any time. A CDP must be able to suppress a profile from all marketing channels within a reasonable timeframe — the ICO considers 28 days the outer limit, but best practice is to action unsubscribes within 48 hours. If your CDP feeds three different email tools and a paid media platform, the suppression must propagate to all of them.
Data Residency and Storage
For UK mid-market retailers, where your customer data physically lives is a compliance consideration under UK GDPR.
Segment processes data through AWS infrastructure. UK tenants can request data residency in the EU (Ireland) region, and Segment offers a regional infrastructure option. That said, Segment's default data processing routes data through US-based infrastructure unless the regional option is explicitly configured. For retailers handling UK customer personal data, this requires either a UK GDPR-compliant international transfer mechanism or switching to Segment's EU regional infrastructure.
HubSpot hosts EU customer data in Frankfurt, Germany. For UK businesses, this satisfies UK GDPR adequacy requirements under the current EU adequacy decision. HubSpot does not offer UK-specific data centre hosting.
Bloomreach hosts European customer data in EU data centres. Like HubSpot, this relies on the EU adequacy decision for UK GDPR compliance. Neither platform currently offers UK-only data residency.
For retailers subject to specific contractual requirements for UK-only data hosting — some franchise agreements or public sector supply chain contracts include this condition — none of these three platforms meet that requirement out of the box. You would need to negotiate bespoke hosting arrangements or consider a self-hosted CDP like RudderStack deployed on AWS or Azure UK South.
Building the CDP in Stages
The mistake that mid-market retailers make is trying to build everything at once. A phased approach reduces risk and keeps the compliance workload manageable.
Stage one: audit and unify. Before connecting any tools, audit what customer data you hold, where it lives, and what consent basis exists for each dataset. Map every data source — ecommerce platform, email tool, loyalty database, in-store POS — and document what personal data each one contains. This audit is not optional; it is a UK GDPR requirement under Article 30 (records of processing activities). For a retailer with 6 to 10 data sources, budget two to four weeks for this stage.
Stage two: consent infrastructure. Implement or upgrade your consent management before connecting data sources to the CDP. This means a cookie consent platform on your website that meets PECR requirements (prior consent for analytics and marketing cookies, with granular options), email preference centres that record channel-specific consent with timestamps, and in-store data capture processes that include the PECR soft opt-in wording. Do not skip this step. Connecting data sources to a CDP without proper consent infrastructure is building on a foundation that will collapse under ICO scrutiny.
Stage three: connect and resolve. Connect your data sources to the CDP, starting with the two highest-value sources — typically your ecommerce platform and your email marketing tool. Configure identity resolution rules: how the CDP matches a website visitor to an email subscriber to a loyalty member. Test with a sample dataset before running against your full customer base. At this stage, restrict the CDP to profile building and analytics only — do not activate marketing campaigns until consent is verified across the unified profiles.
Stage four: activate with guardrails. Once profiles are built and consent status is verified, begin activating marketing channels one at a time. Start with email (lowest risk, easiest to control), then expand to paid media audiences, on-site personalisation, and SMS. Build suppression lists into every activation flow — the CDP should automatically exclude profiles without valid consent for each specific channel.
Stage five: DSAR and deletion readiness. A CDP that unifies customer data across ten sources also creates a single point of exposure for data subject access requests. Under UK GDPR, you have one month to respond to a DSAR with all personal data you hold on that individual. If your CDP contains the unified profile, your response must include data from every connected source. Build a DSAR response workflow before you go live: identify who receives requests, how they extract data from the CDP, and how they verify the requestor's identity. Similarly, the right to erasure means your CDP must be able to delete a profile and propagate that deletion to all connected downstream systems. Test this with a dummy profile before launch — deletion that works in the CDP but leaves orphaned records in Klaviyo or Google Ads is not compliant deletion.
Ongoing: consent decay monitoring. Consent is not permanent. The ICO expects organisations to refresh consent periodically, particularly where the original consent was collected years ago under different privacy notices. Build a quarterly review into your CDP operations: identify profiles where consent is older than 24 months, send a re-permission campaign, and suppress profiles that do not re-confirm. This is tedious work, but it prevents the slow accumulation of stale consent that makes your entire database a liability.
What This Actually Costs
First-Year CDP Cost by Platform Route (£)
Estimated total first-year cost for a UK mid-market retailer with 100,000-500,000 customer profiles, including platform, activation tools, and consent management.
Source: CTC analysis based on vendor pricing, February 2026
For a UK mid-market retailer with 100,000 to 500,000 customer profiles, here is a realistic first-year budget.
Segment route: Segment CDP £30,000 to £60,000, plus email platform (Klaviyo £6,000 to £15,000), plus consent management platform (Cookiebot or OneTrust £2,000 to £8,000), plus data warehouse if needed (BigQuery or Snowflake £3,000 to £10,000). Total: £41,000 to £93,000 in the first year.
HubSpot route: Marketing Hub Professional £9,360 per year (£780 per month), plus Operations Hub Professional for data sync £6,000 per year, plus consent management platform £2,000 to £5,000. Total: £17,360 to £20,360 in the first year. Lower cost, but less sophisticated identity resolution and real-time capability.
Bloomreach route: Platform £35,000 to £60,000 (includes email, personalisation, and CDP), plus consent management platform £2,000 to £8,000. Total: £37,000 to £68,000 in the first year. Higher than HubSpot but includes activation tools that Segment charges separately for.
All figures exclude setup consulting, which for a mid-market CDP project typically runs £10,000 to £30,000 depending on the number of data sources and the complexity of your consent requirements.
The Honest Assessment
Building a compliant CDP is not a technology project — it is a data governance project that happens to involve technology. The retailers who get this right start with consent and work backwards to platform selection. The retailers who get it wrong start with a platform demo and discover their consent gaps six months later when the first ICO complaint arrives.
If your budget is under £20,000 per year and your primary need is better email targeting, HubSpot's Marketing Hub with Operations Hub gives you 80 per cent of CDP functionality at a fraction of the cost. If you are a serious ecommerce operation doing over £30 million in revenue and need real-time personalisation across web, email, and paid media, Bloomreach or Segment plus an activation layer is worth the investment.
Whatever you choose, do not treat PECR compliance as something you will sort out later. The ICO's penalty alignment means a marketing automation mistake that would have cost you £500,000 in 2024 can now cost you £17.5 million. That is not a theoretical risk — it is the explicit policy of the regulator.
