A popular UK website used cookies to track me from the moment I visited their website, before their ‘consent’ popup was even shown. It was also harder to reject than to accept tracking cookies, because registration and payment were required to reject. Worse still, even after I’d paid to reject tracking cookies and have a ‘tracking-free’ experience, the website tracked me for behavioural advertising anyway: consent or pay had become consent AND pay. So I sent them a UK GDPR objection and a legal letter of claim, with the intention of taking them to court. The bungling ICO bizarrely refused to investigate my complaints until I sent them a formal legal letter threatening a judicial review, raising serious concerns about the ICO’s ability to regulate non-compliant ‘consent or pay’ models.

Table of contents

How ‘consent or pay’ became ‘consent AND pay’
Civil claim for breach of contract and breaches of the UK GDPR and PECR
Bungling ICO initially refused to investigate
Judicial review threat forces ICO into action

Introduction

An increasing number of websites are reportedly considering switching to a ‘consent or pay’ model for unnecessary tracking cookies. This means users are forced to pay money, usually through a subscription, to exercise their right to refuse consent for unnecessary tracking cookies. In my view, the vast majority of ‘consent or pay’ models are unlawful and unworkable under the current legislation, including the UK GDPR, PECR, the Consumer Protection from Unfair Trading Regulations 2008, and the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. I previously explained this in my response to the ICO’s recent consultation.

Most of the websites I visit do not use ‘consent or pay’ models. However, a select few websites I occasionally visit have recently started forcing me to either pay or accept intrusive tracking. This is despite the fact that the ICO had warned that their consultation should not be construed as a suggestion that ‘consent or pay’ models are legally compliant. Since the events of this article took place, the ICO has also published ‘draft’, non-statutory, non-binding guidance suggesting it may in some cases be lawful (with which I largely disagree). However, the particular ‘consent or pay’ model under consideration in this article also fell foul of the ICO’s new non-binding guidance in many ways.

Read on for details about how ‘consent or pay’ became ‘consent AND pay’, how I exercised my private civil rights to obtain redress, and my correspondence with the ICO which initially refused to investigate my complaint.

How ‘consent or pay’ became ‘consent AND pay’

The data controller of this particular website (let’s call them Y) offered me a ‘choice’ when I visited their website in mid-2024: subscribe for approximately £5 per MONTH to remove all advertising and tracking, or accept tracking for unnecessary behavioural advertising purposes.

As seems to be fairly commonplace with non-compliant controllers, however, tracking cookies for analytics and advertising purposes had already been placed and processed before the ‘choice’ popup had even been shown.

It should be noted that the offered ‘choice’ is unlikely to result in freely given consent when users perform one single click on the accept button. This is because, to accept, only one button-click is necessary. The only way to reject unnecessary advertising tracking cookies was to click the ‘pay’ button, following which a lengthy registration and subscription payment process had to be completed with multiple clicks and keyboard input. As part of this registration process, I was required to provide a plethora of unnecessary personal data and my payment card details. I was also required to enter into a subscription contract and make a financial transaction.

The additional effort required to reject compared to accepting constitutes detriment, meaning any ‘consent’ is not freely given. It is also in direct breach of Article 7(3) UK GDPR, as it was obviously not as easy to refuse/withdraw consent as it was to give it.

It was also not possible to pay for a single website visit. The absolute minimum subscription period I could subscribe for was one month, with automatic renewals taking place thereafter. This particular website is not one that I continuously visit throughout any given month: I perhaps visit it at most a single-digit number of times per month. As such, it is also completely implausible that the website operator would earn a monthly sum equal to the subscription value from my website visits through behavioural advertising. This is further evidence that the ‘fee’ is entirely inappropriate and simply a well-disguised attempt at forcing me to accept tracking cookies for advertising purposes.

It was also impossible to reject unnecessary analytics tracking cookies. Such tracking cookies also require consent under PECR. As consent must be specific and sufficiently granular, it must be possible to e.g. reject analytics cookies but accept advertising cookies and vice versa.

Additionally, it was not possible to pay to refuse all unnecessary cookies and still access the website with contextual (non-personalised) advertising. The only two options were to accept all unnecessary cookies (including non-advertising tracking cookies), or to pay to remove ALL advertising from the website.

I decided to click the reject button, but was not prepared to simply hand over lots of my personal data and subscribe just to exercise my right to refuse consent for unnecessary cookies. Therefore, I went back to the main banner and clicked accept, despite not genuinely wanting to accept unnecessary cookies. In my view, the subsequent unnecessary data processing and cookie placement was unlawful, as no valid consent had been obtained through the accept button (it wasn’t freely given).

Nevertheless, I was not happy about being extensively tracked by over 100 ‘partners’. Therefore, I ultimately reopened the ‘choice’ popup to withdraw the ‘consent’. To do so, I was forced to go through the registration and payment process, which I completed. This was clearly not as easy as clicking the Accept button.

However, even after registering, paying and entering into a subscription to avoid tracking and advertising, Y still continued tracking me for behavioural advertising and analytics purposes, including through unnecessary cookies. This was in clear breach of my contract with Y, which provided that no cookies may be placed for advertising purposes and that no associated tracking may take place.

Tracking and data sharing even took place with an opaque gambling website operator, despite it not being listed in Y’s list of partners.

Civil claim for breach of contract and breaches of the UK GDPR and PECR

I sent Y a data protection complaint and letter of claim in respect of their cookie and tracking practices. In summary, I alleged that:

  • Before the initial cookie banner was shown, Y placed tracking cookies for unnecessary analytics and advertising purposes and performed associated data processing, in breach of regulation 6 of PECR and article 5(1)(a) UK GDPR.
  • The ‘consent’ obtained by clicking the accept button was not valid in breach of article 4(11) and 7(3) UK GDPR:
    • it was not freely given, as it was easier to accept (1 click) than to reject (multiple clicks, completion of a registration form, authorisation of recurring payments)
    • it was not specific, as consent could not be given for analytics and advertising cookies independently from each other. It was also impossible to consent to some partners’ tracking but not others: it was an all-or-nothing choice.
    • it was not informed, as the gambling operator partner was not listed.
    • it could not be withdrawn/rejected as easily as it was given.
  • The forced collection of my name, email address, partial date of birth, and payment information, just to be able to refuse consent for unnecessary cookies, was unfair, in breach of article 5(1)(a) UK GDPR.
  • Y continued tracking me for analytics and behavioural advertising purposes after I had paid them not to do so, in repudiatory breach of contract and in breach of regulation 6 PECR and article 5(1)(a) UK GDPR.
  • Y failed to take proper action on my article 21(2) UK GDPR objection against direct marketing processing, including profiling through advertising cookies, free of charge pursuant to article 12(5) UK GDPR.

A ‘repudiatory’ breach of contract can be described as a breach going to the very core of the contract. It gives the innocent party the option of terminating the contract immediately. Shortly after realising that Y was continuing to track me despite my payment, I therefore chose to terminate the contract due to Y’s repudiatory breaches, also entitling me to damages.

Even if no breach had occurred, I could have also chosen to exercise my right to cancel under chapter 3 of the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. Normally, this must be done within 14 days and the trader must only refund an amount proportionate to what has been used. However, Y had failed to properly inform me about my right to cancel and had not obtained my express permission to start providing me with their tracking-free website service immediately. Because of this, I could have chosen to cancel within 12 months of the start of the contract, entitling me to a full refund.

As part of my letter to Y, I claimed damages (compensation) for both material (financial) and non-material damage (e.g. annoyance, distress, frustration, loss of control). Both regulation 30 of PECR (eprivacy law) and article 82 UK GDPR (data protection law), as well as contract and consumer protection law, provide a right to such damages (particularly in the context of this contract, the whole point of which was to avoid intrusive tracking and provide peace of mind).

Furthermore, I demanded that Y stop tracking me for advertising purposes without my consent, failing which I would ask the court for a compliance order under S.167 Data Protection Act 2018.

Y’s response: De minimis threshold and Bundeskartellamt

Y responded, admitting some of the breaches I had alleged but denying others. Y cited the CJEU judgment in C-252/21, the case between Meta Platforms and the Bundeskartellamt in support of ‘consent or pay’ more generally. Y also disputed liability for the non-material damage, citing the de minimis threshold (as referred to in Lloyd v Google).

However, the single CJEU comment Y relied on was clearly obiter and had been omitted from the operative part of the Bundeskartellamt judgment. The facts in that case did not involve anything like Y’s ‘consent or pay’ model and the parties had made no submissions on the issue, meaning it had no binding effect whatsoever and was of very limited, if any, assistance. In any event, the EDPB’s subsequent Opinion 08/2024 stated it would not normally be possible to comply with the consent requirements when using a ‘consent or pay’ model like Y’s.

Furthermore, the de minimis threshold Y relied on had only been held to apply to claims under the Data Protection Act 1998 in Lloyd v Google. It is not currently a settled point of UK law as to whether such a threshold applies to claims under the (UK) GDPR: Farley & Ors v Paymaster (1836) Ltd (Trading As Equiniti) [2024] EWHC 383 (KB) at para 159. In fact,
the available CJEU authority clearly states that no ‘de minimis’ threshold exists (although this case is not binding on UK courts, they may have regard to it): Case C-300/21, UI -v- Österreichische Post AG at para 51.

In any event, the judgment in Lloyd only applied to the old data protection law regime. It did not extend to claims in eprivacy or contract law, both of which I was also claiming under, nor to claims under the new UK GDPR.

Even if the de minimis threshold did apply to my claim under the UK GDPR (which I did not accept), I considered the threshold was still comfortably surmounted in my case. In Lloyd v Google LLC [2019] EWCA Civ 1599 at para 55, the Court of Appeal described the de minimis threshold as precluding a claim for damages for an accidental one-off data breach that was quickly remedied. It then ruled that the threshold was surmounted when data was deliberately and unlawfully misused, for commercial purposes, without user consent and in violation of their established right to privacy. It is abundantly clear that the breaches I alleged were systemic, repeated, serious, deliberate/negligent breaches for Y’s commercial purposes, rather than “an accidental one-off data breach that was quickly remedied”.

Additionally, in Lloyd v Google LLC [2021] UKSC 50, the claimant attempted to advance a collective opt-out style claim and was not actually seeking to prove that damage had been suffered by reason of Google’s cookie tracking (see para 105). This is in stark contrast to my claim. Crucially, in Lloyd, the Supreme Court ruled: “There is no doubt that the claimant is
entitled to advance a claim against Google on this basis in his own right which has a real prospect of success” (para 23).

This part of the Supreme Court’s judgment in Lloyd v Google clearly applied to my claim. It is this crucial part that is often overlooked or misunderstood by those claiming that Lloyd makes claims for less serious types of non-material damage impossible. The rejection of Lloyd‘s claim by the Supreme Court was based on the opt-out class-action nature of the claim, where the claimants were not actually trying to prove they had suffered recoverable damage. However, for individual claims where the claimant was seeking to prove non-material damage, the Court of Appeal had ruled that unlawful tracking for commercial gain clearly surmounted the de minimis threshold, which the Supreme Court effectively reaffirmed by stating Lloyd would have had a real prospect of success if he had sought to prove he had suffered damage himself. Further support for my position can be found in e.g. Google Inc v Vidal-Hall & Ors [2015] EWCA Civ 311 at para 138.

Therefore, even if the de minimis threshold did apply to the UK GDPR part of my claim (which I did not accept), the damage I had suffered still fell comfortably above this threshold and was recoverable in my view. And that’s before even considering the eprivacy and contract elements of my claim, to which the de minimis threshold in Lloyd has no relevance.

Following discussion with Y about my civil claim, Y resolved it to my satisfaction, as part of which Y paid compensation.

Bungling ICO initially refused to investigate

It is my view that the ICO’s generally poor handling of data protection complaints discourages people from submitting them, with over 99% of complaints resulting in no formal action. Taking direct action through civil litigation for compensation and a compliance order is usually far more effective (and the ICO actually encourages people to do this as an apparent excuse for failing to take formal enforcement action on complaints properly).

However, given the seriousness of the breaches and the large number of people that were likely being affected, I had also submitted a complaint about Y to the ICO. This included all the elements of my legal letter of claim to Y (see above). But the ICO egregiously tried putting my complaint in the bin without any investigation – after making me wait for over 4 months for an initial response.

I now include the relevant extracts from my initial correspondence with the ICO. Scroll down to the next section for more details about how my judicial review threat forced them into action.

The material extract from the ICO’s initial response was as follows:

Thank you for your correspondence in which you have complained about Y and its use of a consent or pay
approach to cookies. Please accept my apologies for the delay in our response, owing to the large number of complaints we are receiving.


We have now published our guidance on ‘consent or pay’ models here: Consent or pay | ICO


We have also announced plans to bring the UK’s top 1,000 websites into compliance with data protection law. You can find more information in this regard here:
ICO takes action to tackle cookie compliance across the UK’s top 1,000 websites | ICO


Where your concerns about an organisation’s use of cookies remain, you can report your concerns to us here:
Cookies | ICO

Although we don’t respond individually to concerns raised about cookies, we use the information we receive through the cookies reporting tool to:

  • monitor organisations’ adherence to the rules;
  • identify sectors where we might need to make contact or take
    enforcement action; and
  • work out if organisations might need further guidance.

I responded in the following terms:

Thank you for your email providing some general information about the ICO’s recent activity on cookies and draft guidance on consent or pay.

Please can you set out the next steps in the investigation of my UK GDPR/DPA2018 complaint about my personal data? For the avoidance of doubt, the complaint is not a S.32 PECR complaint limited to the mere placement of cookies; and the processing complained of is also in breach of the new draft consent or pay guidance (such as the equivalent alternative, appropriate fee and privacy by design principles), not least because tracking even took place after I had paid for this not to happen.

The ICO responded some time later:

Whilst you have referred to the UK GDPR/DPA 2018 in your complaint with Y, the heart of your complaint relates to its use of cookies. As explained in my letter, you can report your concerns regarding an organisation’s use of cookies via our online reporting tool. If you wish, I can submit the report based on the information you have provided.

In light of the above, we will keep a record of this complaint on file for intelligence purposes, however we do not intend to investigate this individual case further at this stage.

The ICO therefore simply refused to investigate my data protection complaint because it involved cookies. The ‘keeping of a record’ of the complaint is nothing other than the automated processing of a webform that has no real further effect.

The further irony in this frankly woeful response was that I had already submitted the mere cookie placement part of my complaint through the ICO’s cookies reporting tool at the same time as I had submitted my broader data protection complaint. I therefore requested a case review through the ICO’s formal process, advancing two grounds, summarised as follows:

  1. My data protection complaint falls within scope of S.165 DPA2018 and Article 77 UK GDPR, meaning a referral to the ICO’s S.32 PECR cookie reporting tool was not a sufficient response. It also contained parts not directly relating to the placement of cookies (e.g. the sharing of my website behaviour and other personal data with partners and the improper compliance with my objection).
  2. It is objectively necessary and appropriate to investigate my complaint, with reference to the ICO’s regulatory action policy. In summary, this was because of the large number of people affected, the fact I had suffered direct financial damage and non-material damage, and the fact that the ICO had previously issued a reprimand for less serious, similar breaches in Bonne Terre.

The ICO’s reviewing officer responded shortly afterwards, materially stating the following:

I understand we have investigated your data protection complaint about Y and you’re unhappy with/concerned about how your Case Officer has handled your complaint and the outcome that the ICO has reached.

I have considered the points you have raised and have also reviewed the relevant information we hold about your case. I am satisfied that the [case officer] dealt with your complaint appropriately and in line with our case handling procedures.

In this case [incorrect case officer name] explained the reasons for his view in the correspondence of [date] and further expanded on this stance in his correspondence dated [date].

Having reviewed the matter, I am satisfied that [case officer name] dealt with your complaint appropriately. As such this is not something that we intend to pursue further.

[…]

Under data protection legislation (Section 165 of the Data Protection Act 2018) we must investigate a complaint to an appropriate extent, and inform you of the outcome. Part of this process includes considering whether further action is necessary or appropriate, in line with our Regulatory Action Policy.

So many things were wrong with this case review response. Firstly, it completely failed to substantively engage with the detailed grounds I had advanced to challenge the initial outcome. It essentially contained no substantive reasons.

Secondly, it stated that the ICO had “investigated” my complaint, when the whole point of the case review request was that I was asking the ICO to investigate my complaint. Thirdly, it contained the name of a different case officer to the one that had initially dealt with my complaint.

All in all, the response can only be described as dreadful. I suspected it had been largely copy pasted from a template and that my arguments had not actually been properly considered.

I therefore responded to the ICO in the following terms:

I note that you are satisfied that my complaint was dealt with appropriately. However, I have the following requests for clarification about your review:

  1. You state that the ICO has “investigated” my data protection complaint. However, the whole point of my review request was that the case officer had refused to investigate my complaint, as confirmed in the correspondence.
    a. Please therefore confirm if the ICO has communicated with Y about my complaint and, if so, provide a copy of this correspondence.
    b. Please also outline any other investigative steps the ICO has taken as a result of my complaint, such as visiting Y’s website.
  2. You refer to “relevant information” the ICO holds about my case. To the extent that this consists of information outside of my correspondence with the ICO, please provide me with a copy of this relevant information.
  3. You refer to an explanation by “[wrong case officer name]”. However, I have received no correspondence from [wrong case officer name] and am not aware of her involvement. Please confirm the role that [wrong case officer name] had in reviewing my complaint.
  4. On [date], the case officer stated that, whilst I referred to the UK GDPR/DPA 2018 in my complaint, the heart of my complaint relates to cookies. From this, it appears that the case officer refused to investigate my complaint because he believed it did not involve the processing of my personal data and the complaint was therefore out of the scope of S.165 DPA2018. Please confirm if this is correct. Are you therefore rejecting my review request on the basis of a failure of Ground 1 of my request?
  5. You refer to the ICO’s Regulatory Action Policy (RAP) for deciding whether further action is appropriate. Please provide the ICO’s assessment of why an investigation of, or further action on, my complaint is not appropriate, with reference to the factors listed in the RAP.

The ICO’s case review officer responded:

Firstly, allow me to apologise for any confusion that may have been caused by me referring to your Case Officer by “[wrong case officer name]”. This was a typo on my part and I apologise for this error. To be clear, your case was handled exclusively by your Case Officer, [case officer name].

It is noted that you remain unhappy with the handling of your complaint after your Case Review. Please note that this review was the final step of the ICO’s internal process. As such, the ICO does now consider this matter to be closed.

Any outstanding complaints should now be raised with the Parliamentary and Health Service Ombudsman via your MP.

I was not satisfied with this and considered that the ICO was in breach of its common law duty to provide adequate reasons for its decision. I thus responded in the following material terms:

I note your comments about the ICO’s internal process having ended and approaching the PHSO. However, in my email, I did not seek to raise further substantive complaints, nor did I seek to challenge the review outcome.

My email requested clarification about your review outcome, as I do not fully understand it. This is because the review outcome did not contain sufficient substantive reasoning (indeed, it appears to have been largely copy-pasted from a template). It was also inconsistent with the initial outcome from [case officer name] in some areas.

To the extent that you are not prepared to respond to my requests for clarification as a straightforward request, I would highlight that my points constitute requests for information within scope of S.1 FOIA2000. I would therefore expect a response to these points by [date] at the latest in any event.

Regarding my point 4, it would seem sensible to explain whether my review request failed on Ground 1, Ground 2 or both to allow me to properly understand the outcome. To the extent that you are not prepared to simply explain this, I consider that there is a common law duty on the ICO (being a public authority whose decision-making is subject to judicial review in the Administrative Court) to provide adequate reasons for its decision about my statutory complaint: see Independent Assessor v O’Brien and others [2004] EWCA Civ 1035 at paragraph 77. This is because adequate reasons are required: (i) to enable me to know on what basis my complaint (or parts of it) have been accepted or rejected; and (ii) to enable me to determine whether I have grounds for challenging it by way of judicial review. In this context, I also ask that you respond to point 4.

The reviewing case officer responded:

It is noted in your correspondence dated [date] that you wish to request information in relation to the outcome of your Case Review under the scope of the Freedom of Information Act 2000.

Please note that whilst you are entitled to submit a Freedom of Information request to the ICO, the information you are seeking would not fall under the scope of what information you would be entitled to request.

This is because you are unable to request information which relates to yourself under the Freedom of Information Act 2000. To request this, you may subject a Subject Access Request under Article 15 of GDPR.

However please note that under such a request, the ICO would be obliged to provide you with all information which we hold in relation to you. It is important to note however that the ICO would not be obliged to create any new information which we do not currently hold.

If you would like to subject a Subject Access Request, please confirm this in your reply to this e-mail and you request will be referred to our Information Access department for processing.

Under data protection legislation, an organisation is afforded up to a calendar month to respond to any Subject Access Request that they receive.

Can you spot the inaccuracies? I think it’s shocking that an ICO case officer dealing with data protection complaints does not know that DSARs can be made through any channel and do not necessarily require the controller to provide all held information to be provided – indeed, the ICO’s guidance explicitly recommends specifying DSARs to what is relevant.

You refer to my correspondence of [date]. In this correspondence, I reminded you that certain requests in my email of [date] constitute requests for information under FOIA and required the ICO’s response by [date].

I do not agree with your assertion that my requests do not fall within scope of FOIA. While some of the documents/information I requested may contain my personal data, this does not mean that the information as a whole falls outside of the scope of S.1 FOIA (although the S.40 FOIA exemption is likely to apply to certain parts of it).

Furthermore, my email of [date] did not make explicit reference to either the UK GDPR or FOIA. If both these regimes apply to the information I requested, the ICO should have treated my requests as hybrid requests.

For example, the ICO’s correspondence with Y requested at point 1a may contain my name and certain other personal data relating to me. This can likely be withheld under S.40 FOIA, but must still be disclosed to me specifically pursuant to article 15 UK GDPR.

The ICO’s correspondence with Y will also contain information that does not constitute my personal data. This falls outside of scope of article 15 UK GDPR, but plainly falls within scope of S.1 FOIA.

I note that requests under S.1 FOIA (and article 15 UK GDPR) do not have a prescribed form, can be made through a channel chosen by the requester, and are not required to explicitly refer to the legislative regimes. It is also not necessary for a subject access request to ask for “all information” that a controller holds as you claim, the scope of such a request may be specified and narrowed to what is relevant (indeed, the ICO’s guidance pages recommend doing this). I therefore consider that the ICO’s response to my requests was due by [date] under S.10 FOIA (20 working days); and by [date] under article 12(3) UK GDPR (one month).

As the deadlines have been missed, I am now chasing this up and copying this email to the ICO’s information access team for visibility. I have attached my email of [date] which contains my requests. Request 3 has been resolved by your correction of [date]. Requests 1a, 1b, 2, 4 and 5 (FOIA/UK GDPR) remain outstanding. Given the time that has now elapsed, I ask that the ICO respond to these requests by [date] at the latest. I reserve inter alia the right to complain to the ICO as the FOI regulator should the ICO’s response not be forthcoming by then.

As also noted in my email of [date], I consider that the ICO must also provide at the very least the information I requested at point 4 (and likely also the other requests), pursuant to its common law duty to give reasons for its decision-making to allow a proper assessment of whether a judicial review of the decision is appropriate. I would further highlight that paragraph 13 of the Pre-Action Protocol for Judicial Review (PAP) states that the administrative court may impose costs sanctions if a public body does not comply with a pre-action request for information without good reason.

The ICO’s information access team (which generally does a good job) then responded to my information request a day later, to their credit. The response confirmed that the ICO had not contacted Y about my complaint. The ICO held no information about any investigative steps that had been taken. It also confirmed they held no information about any assessment of my complaint with reference to the Regulatory Action Policy.

In a separate FOI request, I had asked the ICO for its template letter for responding to case review requests. The response confirmed that the reviewing case officer had simply copy-pasted the template and had completely failed to complete the explanation section in that template.

The ICO’s case review letter template can be found in its disclosure log here: https://ico.org.uk/about-the-ico/our-information/disclosure-log/2025/04/ic-377655-s4v5/

This clearly meant that the ICO had failed to provide adequate reasons for its decision, in breach of its common law duty per Independent Assessor. But they had also simply included things in their case review response that were completely incorrect, such as their claim that they had “investigated” my complaint.

Judicial review threat forces ICO into action

As the ICO was refusing to consider my complaints further, I sent them a formal letter before claim under the Pre-Action Protocol for Judicial Review. I alleged the ICO had acted unlawfully by refusing to investigate my complaint and refusing to provide adequate reasons for its decision.

The ICO has a tendency to hide behind its Regulatory Action Policy (RAP) as an excuse for not doing anything – it even features in its case review template. But clearly some case officers are not actually considering the contents of the RAP in their decision-making, because they refused to take action when the vast majority of factors in the RAP indicated a degree of regulatory action was appropriate. This is unlawful, as public authorities are generally required to give effect to their policies (Mandalia v Secretary of State for the Home Department [2015] UKSC 59).

In summary, I advanced the following legal grounds for judicial review. It should be noted that the judicial review would formally be against the Information Commissioner, but I keep referring to the ICO below for simplicity:

  • The ICO committed an error of law in respect of Article 77 UK GDPR (illegality). This was because they refused to investigate my complaint because it involved cookies. However, cookies containing online identifiers (such as tracking cookies) constitute personal data as per article 4(11) UK GDPR and the ICO’s own guidance. My complaint also contained elements that did not directly involve the placement of cookies. As such, my complaint was clearly in scope of article 77 UK GDPR, requiring an investigation to the extent appropriate and an outcome.
  • Consequently, the ICO breached its statutory duty under Article 57(1)(f) UK GDPR by failing to investigate my complaint to the extent appropriate. The R.32 PECR reporting tool redirection breaches the ICO’s statutory duty under the UK GDPR. The ICO’s cookies reporting tool is sufficient for the purposes of R.32 PECR, but this is not sufficient to comply with the ICO’s obligations the UK GDPR, because:
    • The ICO does not investigate R.32 PECR reporting tool submissions.
    • The ICO does not respond to R.32 PECR reporting tool submissions with the outcome of the (non-existent) investigation. Indeed, it is not even possible to enter contact details on the form for an outcome to be provided.
    • It was not possible to add full details of my complaint about the processing of my personal data through cookies on the R.32 PECR reporting tool.
  • The ICO failed to give effect to its ‘How your complaint is processed’ policy and Regulatory Action Policy. This is because the ICO failed to even contact Y and failed to take into account the high seriousness of the breaches, as well as the number of people affected (very high) and the effect on me (both material and non-material damage). Online tracking is also listed as a regulatory priority in the ICO25 strategy. There were also significant aggravating factors in the RAP that applied here, e.g. that the breaches resulted in direct financial gains to Y and its partners.
  • The ICO’s failure to provide reasons for its decision to refuse to investigate my data protection complaint was unlawful (illegality, breach of common law duty, unfairness, legitimate expectation). As discussed, the ICO is under a duty to provide adequate reasons for its decision to refuse to investigate, and these must be sufficient to properly understand its decision and should properly engage with any advanced arguments (R. (on the application of Michaelides) v Chief Constable of Merseyside [2019] EWHC 1434 at para 53). The provided case review outcome was, at best, a recital of a general formula, which is not sufficient to comply with the ICO’s common law duty.

Following my letter before claim, I corresponded with the ICO’s litigation directorate. The ICO has now offered to provide a new outcome to my complaint (without making any admission as to the merits of my judicial review claim). This will be done by a case officer who was not previously involved. This will supersede the ICO’s previous outcomes.

I have agreed to this course of action. However, I have put the ICO on notice that I expect proper consideration to be given to its policies and that I may further challenge its new outcome if it becomes necessary to do so. For example, if the ICO’s policies indicate a degree of regulatory action is appropriate, but the ICO fails to properly consider taking regulatory action without providing sufficient reasons. Of course, the ICO has discretion when deciding what action to take, if any, but it must follow its policies properly when exercising that discretion.

I will update this article when the ICO completes its new review/investigation and provides me with the new outcome.