I’ve worked in data protection for years, but until now I had never filed a GDPR or PECR complaint. The only time I contacted the ICO previously was when their own website was dropping Google cookies without consent back when ePrivacy first came into force. I’ve never complained about another organisation — until this.
What changed? A shockingly inadequate response to the first DSAR I have ever submitted.
I contacted the company on 18 December 2025. What followed was over 4 months of apologies, delays, and vague reassurances — but never a definitive answer. Their final message promised a response “within 7 days”. Eleven days later, nothing. So I sent this:
Good morning {REDACTED},
It is now 11 days since your last email, and still no answer to my query.
I can only imagine no-one in the company
- believes their customers’ names, email addresses, search results and other sensitive data are being processed, or
- knows why it is being processed, or
- thinks it worth their while to reply to me.
I assure you that the personal data is being shared with other companies, without consent. I have sent you the evidence of this, including that at least one of these companies is a US based self-declared data broker.
If it is being processed under another legal basis your customers have the statutory right to be told what is.
They also have a statutory right to be informed of the purpose of the processing and what companies are processing it, either for you or for themselves.
If I do not get a satisfactory response by the end of the week I feel obliged to make a formal complaint.
This is not just about one company. It exposes a much wider and largely invisible problem: email addresses and other personal data are being quietly harvested by tens of thousands of online retailers and DTC brands, then passed on to countless third parties — without transparency, without consent, and without any meaningful accountability. Most people have no idea this is happening, and that’s exactly why it continues.
The lack of transparency is fundamental. The reason these third-parties collect and share email addresses server‑to‑server is simple: to create a persistent tracking identifier that works across the web, even when people use browsers, devices or privacy tools designed to block tracking. It’s a workaround — a deliberate attempt to rebuild the surveillance ecosystem that modern browsers are trying to dismantle.
When sensitive data leaks into opaque commercial ecosystems, people can be profiled, targeted or exploited in ways they never see coming — especially those who are vulnerable, unwell or simply trying to manage private aspects of their lives.
And let’s not forget: this isn’t the first time. Pharmacy2U was fined by the ICO in 2015 for unlawfully sharing patient data — a case the regulator described as a “serious error of judgement.” A decade later, the methods have evolved but the outcome is the same: people’s data is being used in ways they never agreed to and would never expect. If organisations don’t address this now, we risk sleepwalking into a world where consent is meaningless, privacy protections are performative, and sensitive health behaviour becomes just another data point in an unregulated commercial marketplace.
We've spent years tracing these hidden data flows, diagnosing tracking infrastructures, and helping organisations rebuild their systems so they are transparent, compliant and respectful of the people who rely on them. If you’re responsible for a digital service and want to understand what’s really happening under the hood — and how to fix it before regulators step in again — we’re here to help.