ListShield
PECR fines just jumped 35x to £17.5M. Audit your email list for consent compliance before the ICO does.
The Idea
An AI-powered email list compliance auditor for UK businesses. Connect your email platform (Mailchimp, Klaviyo, HubSpot, Instantly, or CSV upload), and ListShield scans every contact for valid consent evidence. It flags records with no opt-in timestamp, identifies bundled consent (illegal under PECR), detects contacts from purchased lists, and checks "soft opt-in" records against the legitimate interest test. Output: a downloadable ICO-ready compliance report with a risk score, a contact-by-contact audit trail, and a one-click cleanup tool to quarantine risky records. Think of it as a penetration test, but for your email list.
Why Now
On February 5, 2026, UK PECR fines jumped from £500,000 to £17.5 million (or 4% of global turnover). That is a 35x increase overnight. The ICO has been auditing aggressively: 65 fines for direct marketing violations since 2021, and they started auditing the top 1,000 UK websites in January 2025 with 134 out of 200 receiving warning letters. The ICO issues an average of 1.4 PECR fines per month. Every UK business with an email list is now sitting on dramatically higher risk, and most have no idea whether their consent records would survive an audit.
How to Build
Next.js frontend with a dashboard showing compliance score, risk breakdown, and per-contact status. Integrate with email platform APIs: Mailchimp, Klaviyo, HubSpot, and Brevo cover most of the market. Pull contact metadata: signup date, source, consent fields, engagement history. Use Claude to analyze consent patterns: flag missing timestamps, detect bulk imports without consent records, identify soft opt-in candidates, and check if unsubscribe mechanisms are compliant. Generate PDF reports styled for regulatory review. Add a Stripe-powered pay-per-audit model. Start with CSV upload for MVP, add platform integrations in week two.
Revenue Model
Freemium: scan up to 500 contacts free (shows risk score but not full report). Paid tiers: £29/audit for up to 5,000 contacts, £79 for up to 25,000, £199 for up to 100,000. Enterprise pricing for agencies running audits across multiple client lists. Recurring revenue via monthly monitoring: £19/month to continuously scan for new non-compliant additions. Upsell: "compliance certificate" badge businesses can display on their website (£49/year). Agencies managing multiple client email lists are the highest-value segment because they will run dozens of audits per month.
Effort
MVP in two weeks: CSV upload, Claude-powered consent analysis, PDF report generation, Stripe checkout. The core logic is pattern matching on contact metadata, which Claude handles well: detecting missing consent fields, flagging bulk import dates, checking for opt-in timestamps. Week three: Mailchimp and HubSpot API integrations. The hardest part is not the tech but understanding the actual PECR rules well enough to build accurate checks. The ICO publishes detailed guidance that can be encoded into the analysis prompts. No HMRC integration needed, no financial data, just email list metadata.
Reddit Signal
UK Business Forums shows the exact pain: one poster described inheriting a 30,000-contact email list with zero GDPR preparation, no cookie banner, and unclear consent records. The expert response suggested a "gentle re-confirmation email" but acknowledged the awkwardness. Across r/smallbusiness and r/marketing, a recurring pattern: businesses asking whether they need to re-consent their existing lists, confusion about the soft opt-in exemption, and anxiety about ICO enforcement. The Electricians Forums and Overclockers UK forums both had threads about MTD and PECR software, with users describing compliance tools as "a nightmare" and asking for simpler options. Signal is moderate but consistent, and the February 2026 fine increase has not yet fully hit mainstream awareness.
Risk
The main risk is liability: if your tool says a list is compliant and the ICO disagrees, you have a problem. Mitigate with clear disclaimers ("this is an automated assessment, not legal advice"). Competition from big players is low because Mailchimp and HubSpot have no incentive to tell customers their lists are non-compliant. The niche risk is that the ICO focuses enforcement on large companies, not SMEs, which could reduce urgency for the target market. However, the ICO has historically fined businesses of all sizes for direct marketing violations, including a £70,000 fine to a small claims management company.
Verdict
Strong regulatory tailwind with a 35x fine increase that most UK businesses have not processed yet. The gap is clear: email platforms will not flag their own users for non-compliance, and most businesses have no way to audit their consent records without hiring a data protection consultant (£150-300/hour). The tool is buildable with Claude plus email platform APIs, and the per-audit pricing model means revenue starts immediately. The risk is liability and whether SMEs feel the urgency enough to pay. A 7/10 because the timing is excellent but the market needs education before it buys.
PECR fines just jumped 35x and most UK businesses have email lists with questionable consent records. ListShield fills a clear gap: no email platform will audit its own users for compliance, and hiring a data protection consultant costs £150-300/hour. Build the automated version, charge £29-199 per audit, and ride the regulatory wave before the first wave of SME fines makes the news.