UK privacyJune 23, 20267 min read

How to Complain About a Company Misusing Your Data (New 2026 UK Right)

By Scott Anderson, Clearfront maintainer

Since 19 June 2026 you have a new statutory right in the UK: you can complain directly to any organization about how it handles your personal data, and it has to acknowledge you within 30 days. This is what the right actually says, how to use it, and what the wider Data (Use and Access) Act changed for you. This is general information, not legal advice.

What is the new right to complain about data use?

From 19 June 2026, the Data (Use and Access) Act 2025 gives you a statutory right to complain directly to an organization if you think it has broken data protection law, and it must acknowledge your complaint within 30 days. This is new. Before, your formal route was straight to the regulator.

The right was added by section 103 of the Act, which inserts a new section 164A into the Data Protection Act 2018. You can read the text on legislation.gov.uk. It applies to ordinary data processing and to law-enforcement data.

What the organization actually has to do

It must make complaining easy, acknowledge your complaint within 30 days, and then respond without undue delay. Note that the 30 days is for acknowledgement, not for resolving your complaint.

  • -Facilitate complaints, including by providing a complaint form you can fill in electronically
  • -Acknowledge receipt within 30 days
  • -Take appropriate steps to respond and tell you the outcome, without undue delay

That last point is where coverage often gets it wrong. There is no fixed deadline for the full response; the law says without undue delay. The 30 days is only the acknowledgement, counted in calendar days from the day after you complain.

Do you have to complain to the company before the ICO?

In practice, yes. The system is designed to be controller-first: you raise it with the organization, and if you are unhappy, you escalate to the Information Commissioner’s Office. The ICO expects you to have tried the organization first.

You keep your right to go to the ICO, and the organization’s response must remind you of it. But the ICO now expects the company stage to have happened, and it uses complaint volumes to spot patterns and target enforcement. The ICO guidance is at How to deal with data protection complaints.

How to make the complaint

  1. 1.Contact the organization: use its data protection complaint form if it has one, or email its data protection officer
  2. 2.Say clearly what you think it got wrong and what you want it to do
  3. 3.Keep a copy and note the date, so you can prove the 30-day clock started
  4. 4.If you are unhappy with the outcome, or hear nothing after a month, complain to the ICO at ico.org.uk/make-a-complaint

You do not need a lawyer or a specific form of words. A clear written complaint by email is enough.

What else the Data (Use and Access) Act changed for you

The Act amends UK GDPR rather than replacing it, and most of its changes came into force on 5 February 2026. A few affect you directly.

  • -Subject access requests: organizations only have to do reasonable and proportionate searches, and can pause the clock while they clarify your request
  • -Cookies: some low-risk cookies, like basic analytics and remembering your language, no longer need a consent banner, but advertising and tracking cookies still do
  • -Automated decisions: more are allowed, but you keep the right to be told, to ask for human review, and to contest the decision

Bigger picture, the fines for breaking the cookie and marketing rules jumped from a 500,000 pound cap to UK GDPR levels, up to 17.5 million pounds or 4 percent of global turnover, which gives those rules real teeth.

The myths worth knowing

  • -It does not repeal UK GDPR. gov.uk is explicit that the Act amends, not replaces, UK GDPR and the Data Protection Act 2018
  • -It did not end EU adequacy: the European Commission renewed the UK’s adequacy decision in December 2025
  • -The 30 days does not mean your complaint is resolved in a month; it is only the acknowledgement

If you have ever felt brushed off by a company’s privacy team, this right is worth knowing. It puts a clock on them and a regulator behind you.

Frequently asked questions

When did the new right to complain come into force?
19 June 2026. It was commenced separately from the main Data (Use and Access) Act reforms, which came into force on 5 February 2026, to give organizations time to set up complaint processes.
How long does a company have to respond to my data complaint?
It must acknowledge your complaint within 30 days. The full response is due without undue delay, with no fixed day count, so a complex complaint can take longer than a month to resolve.
Does the Data Use and Access Act replace GDPR?
No. It amends UK GDPR and the Data Protection Act 2018. Those remain the core of UK data protection law.

Scott Anderson believes your personal data is yours to own and protect. He built Clearfront, a free, open-source tool for scanning and scrubbing your own digital footprint from public data, and he writes about OSINT, breach exposure, and personal privacy.