Your rights · UK & US
Company ignoring your data rights? Report it.
Data rights have teeth because regulators enforce them. If a company blanked your access request, refused an erasure request without grounds, mishandled a breach, or keeps calling a registered number — here is exactly where to take it, on both sides of the Atlantic. This is general guidance, not legal advice.
First: one written complaint to the company
Regulators on both sides expect to see that you gave the organisation a chance. Send one clear, dated complaint to its privacy contact: what you asked for, when, what the law required, and a 14-day deadline to put it right. Keep the copy. Either it fixes the problem — most do at this point — or it becomes the first exhibit in your report.
United Kingdom — the ICO
- Where: ico.org.uk/make-a-complaint — separate routes for data-protection complaints and nuisance calls/messages.
- When: after the organisation has had its chance — typically once the one-month response deadline has passed, or its final answer is inadequate. Complain within three months of that last meaningful contact.
- Include: your dated request, any reply, and your complaint letter. That paper trail is the entire case.
- What it can do: compel compliance, reprimand, and fine — up to £17.5m/4% of turnover for UK GDPR breaches, £500,000 for unlawful marketing under PECR.
- What it won't do: pay you compensation or act as your lawyer. It enforces the law; individual redress goes through the courts.
United States — FTC, state AGs and the CPPA
- FTC: report at reportfraud.ftc.gov (unwanted calls at donotcall.gov). It won't resolve your individual case, but reports drive pattern-based enforcement — including actions against data brokers.
- Your state attorney general: the direct route for violations of your state's privacy law — most AG offices take consumer complaints online and do pursue individual-scale disputes.
- California: CCPA/CPRA complaints can also go to the CPPA (cppa.ca.gov), which enforces the Delete Act — brokers who ignore DROP deletion requests face per-day penalties. See the Delete Act explained.
The evidence checklist
- Dated copy of your original request (SAR, erasure, opt-out)
- Proof of delivery — sent email, form-submission screenshot
- The company's response, or a note that the deadline passed in silence
- Your follow-up complaint to the company and any reply
- For nuisance calls: date, time, number and company name per call
The paper trail, kept for you
Every removal request BLACKEYES sends is logged with dates, recipients and responses — exactly the evidence a regulator asks for when a broker won't comply. See who holds your data first, free.
Run my free exposure checkFAQ
What does the ICO investigate?
Breaches of UK data protection law: ignored or refused subject access and erasure requests, personal data breaches, unlawful marketing calls and messages (PECR), and organisations processing data without a lawful basis. It prioritises cases showing a pattern of harm over one-off administrative slips.
What action can the Information Commissioner actually take?
Order an organisation to comply (enforcement notices), issue formal reprimands, and fine — up to £17.5 million or 4% of worldwide turnover for UK GDPR breaches, and up to £500,000 for unlawful marketing under PECR. The ICO won’t award you compensation; for that you’d pursue the company directly through the courts.
What is the ICO 72-hour rule?
Organisations must report a personal data breach that risks people’s rights to the ICO within 72 hours of becoming aware of it. It applies to the organisation, not to you — but if a company sat on a breach of your data, that delay is itself worth including in your complaint.
Does the FTC act on individual complaints?
Not individually — it doesn’t resolve personal disputes. Reports at reportfraud.ftc.gov feed a database used to build enforcement cases and identify patterns; FTC actions against data brokers have started exactly this way. For an individual remedy, your state attorney general is the more direct route.
Do I have to complain to the company before going to a regulator?
In the UK, yes in practice — the ICO expects you to have raised it with the organisation first and to show its response (or silence). One clear written complaint with a deadline is enough. In the US, no such requirement exists, but the same letter strengthens an AG complaint.