[parenthephobia]

None, intrinsically.

But, receiving, storing, and/or processing personal data without consent is, in most situations, likely to be against the the Privacy and Electronic Communication Regulations and the Data Protection Act. Additionally, information about political affiliation.

The key point in this case is that CA didn't have consent. CA don't dispute this, but say that they believed at the time that they did. It is a defence to show that you "exercised all due diligence" in complying.

ICO will be looking for not only evidence of the actual use of personal data, but also evidence regarding whether and to what extent CA were knowingly or recklessly non-compliant.