does this not break privacy laws?
I think so! Under my understanding of the UK Data Protection Act (IANAL), this would have to be an opt-in scheme via a tick box on the contract. It used to be opt-out but this was changed.
Under the terms of the law an organization may not share personal data to another party without your consent. It's a pretty decent law, I don't know how the hell it got passed.
"The chain which can be yanked is not the eternal chain." -- G. Fitch