ICO Data Breach Complaints vs PECR Cookie Consent Complaints

The ICO handles two distinct complaint streams relating to digital privacy: data breach complaints under UK GDPR and cookie or electronic marketing complaints under PECR. They involve different laws, different enforcement powers, and different options for individuals.

Tip: scroll the table sideways to see all columns →

FeatureData Breach Complaint (UK GDPR)Cookie Consent Complaint (PECR)
Governing legislationUK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018Privacy and Electronic Communications Regulations 2003 (PECR), implementing the EU ePrivacy Directive
Who can complainAny individual whose personal data has been processed unlawfully, lost, or disclosed without authorisationAny person who has received unsolicited direct marketing or been subjected to unlawful cookie tracking — including businesses
Time limit to complain to ICONo strict statutory deadline, but ICO guidance suggests complaining within 3 months of the organisation's final response to youNo strict statutory deadline; ICO typically expects complaint within 3 months of awareness; older complaints may receive lower priority
Evidence requiredEvidence of the breach (notification letter, email, press report) and your link to the breached organisation; DSAR response usefulScreenshots of cookie banners or pop-ups, copies of marketing emails with full headers, evidence that consent was not validly given or that opt-out was ignored
ICO enforcement powersReprimand, enforcement notice requiring remediation, assessment notices, and fines up to £17.5 million or 4% of global turnover (whichever is higher)Enforcement notice, monetary penalty up to £500,000 (increasing to UK GDPR levels for the most serious breaches under proposed reforms)
Maximum fines availableUp to £17.5 million or 4% of annual global turnover under UK GDPR for the most serious infringementsUp to £500,000 under current PECR (proposed reform will align with UK GDPR fines in future)
Escalation route if ICO does not actJudicial review of the ICO's decision; or civil claim against the data controller directly under s.169 DPA 2018Judicial review of the ICO's decision; civil claims under PECR Regulation 30 for damages where individual harm caused
Civil claim possibilityYes — individual can bring a court claim for material or non-material damage (including distress) against the data controller under UK GDPR Article 82Yes — Regulation 30 PECR allows individuals to claim compensation in court for damage caused by a PECR breach, but must show actual damage
Retention of ICO recordsICO keeps records of formal complaints and investigations; can inform future enforcement prioritiesICO publishes PECR enforcement actions; records used to build pattern evidence for enforcement against repeat offenders
Sector regulator involvementFinancial services data breaches may also involve FCA; healthcare breaches may involve CQC; media breaches may involve OfcomOfcom handles certain electronic communications matters; FCA handles unsolicited financial promotions; ICO handles all PECR cookie complaints

The ICO cannot award compensation directly to individuals — it can only fine and require remediation. To recover compensation, you must bring a civil claim in court. The ICO decision on your complaint can help evidence a civil claim. Always raise a complaint with the organisation first and allow them 4 weeks to respond before escalating to the ICO.

Related guides

Data Breach Complaints

A data breach occurs when your personal information is accessed, disclosed, lost, or stolen in a way that was not authorised. Whether the breach involved your financial details, health records, or contact information, you have rights under UK GDPR and the Data Protection Act 2018 — including the right to complain to the Information Commissioner's Office (ICO) and to claim compensation.

5 min

When a Company Has a Data Breach

A personal data breach occurs when an organisation accidentally or unlawfully destroys, loses, alters, discloses, or gives access to your personal data without authorisation. When this happens, UK GDPR places obligations on the organisation — including notifying you if the breach is likely to cause you harm — and gives you rights to complain and potentially claim compensation.

6 min

Cookie Consent and PECR: Your Digital Privacy Rights

Cookie banners, marketing emails, and tracking technologies are governed by the Privacy and Electronic Communications Regulations 2003 (PECR) alongside UK GDPR. Understanding your rights — and the obligations on organisations — helps you push back when consent is manufactured rather than freely given.

6 min

Complaining to the Information Commissioner about a Data Breach

The Information Commissioner's Office (ICO) regulates data protection in the UK. They handle complaints about misuse of personal data, failure to respond to Subject Access Requests, marketing breaches under PECR, and breaches of UK GDPR. Many complaints are resolved with a written reminder to the organisation; serious breaches lead to fines up to £17.5 million. This guide explains how to use the ICO and how to claim separately for compensation.

9 min

UK GDPR Rights for Individuals

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) give individuals in the UK eight legally enforceable rights over how organisations collect, store, and use their personal data. These rights apply whether the data is held by a business, public body, or online platform.

6 min

Disclaimer

The information on this page was correct at the time of writing. Amounts, thresholds, and rules may change. Always check the latest official guidance.