BlackEyes LogoBLACKEYES

Your rights · UK & US

Company ignoring your data rights? Report it.

Data rights have teeth because regulators enforce them. If a company blanked your access request, refused an erasure request without grounds, mishandled a breach, or keeps calling a registered number — here is exactly where to take it, on both sides of the Atlantic. This is general guidance, not legal advice.

First: one written complaint to the company

Regulators on both sides expect to see that you gave the organisation a chance. Send one clear, dated complaint to its privacy contact: what you asked for, when, what the law required, and a 14-day deadline to put it right. Keep the copy. Either it fixes the problem — most do at this point — or it becomes the first exhibit in your report.

United Kingdom — the ICO

  • Where: ico.org.uk/make-a-complaint — separate routes for data-protection complaints and nuisance calls/messages.
  • When: after the organisation has had its chance — typically once the one-month response deadline has passed, or its final answer is inadequate. Complain within three months of that last meaningful contact.
  • Include: your dated request, any reply, and your complaint letter. That paper trail is the entire case.
  • What it can do: compel compliance, reprimand, and fine — up to £17.5m/4% of turnover for UK GDPR breaches, £500,000 for unlawful marketing under PECR.
  • What it won't do: pay you compensation or act as your lawyer. It enforces the law; individual redress goes through the courts.

United States — FTC, state AGs and the CPPA

  • FTC: report at reportfraud.ftc.gov (unwanted calls at donotcall.gov). It won't resolve your individual case, but reports drive pattern-based enforcement — including actions against data brokers.
  • Your state attorney general: the direct route for violations of your state's privacy law — most AG offices take consumer complaints online and do pursue individual-scale disputes.
  • California: CCPA/CPRA complaints can also go to the CPPA (cppa.ca.gov), which enforces the Delete Act — brokers who ignore DROP deletion requests face per-day penalties. See the Delete Act explained.

The evidence checklist

  • Dated copy of your original request (SAR, erasure, opt-out)
  • Proof of delivery — sent email, form-submission screenshot
  • The company's response, or a note that the deadline passed in silence
  • Your follow-up complaint to the company and any reply
  • For nuisance calls: date, time, number and company name per call

The paper trail, kept for you

Every removal request BLACKEYES sends is logged with dates, recipients and responses — exactly the evidence a regulator asks for when a broker won't comply. See who holds your data first, free.

Run my free exposure check

FAQ

What does the ICO investigate?

Breaches of UK data protection law: ignored or refused subject access and erasure requests, personal data breaches, unlawful marketing calls and messages (PECR), and organisations processing data without a lawful basis. It prioritises cases showing a pattern of harm over one-off administrative slips.

What action can the Information Commissioner actually take?

Order an organisation to comply (enforcement notices), issue formal reprimands, and fine — up to £17.5 million or 4% of worldwide turnover for UK GDPR breaches, and up to £500,000 for unlawful marketing under PECR. The ICO won’t award you compensation; for that you’d pursue the company directly through the courts.

What is the ICO 72-hour rule?

Organisations must report a personal data breach that risks people’s rights to the ICO within 72 hours of becoming aware of it. It applies to the organisation, not to you — but if a company sat on a breach of your data, that delay is itself worth including in your complaint.

Does the FTC act on individual complaints?

Not individually — it doesn’t resolve personal disputes. Reports at reportfraud.ftc.gov feed a database used to build enforcement cases and identify patterns; FTC actions against data brokers have started exactly this way. For an individual remedy, your state attorney general is the more direct route.

Do I have to complain to the company before going to a regulator?

In the UK, yes in practice — the ICO expects you to have raised it with the organisation first and to show its response (or silence). One clear written complaint with a deadline is enough. In the US, no such requirement exists, but the same letter strengthens an AG complaint.