Search
TSD_Laws_icon-01
Tech Safety Directory
Key Child Privacy Protections
Sept16_medium_Map

Outstanding Child Privacy Protection Legislation

Children's Online Privacy Protection Act (COPPA)

united-states  USA

 

The Children’s Online Privacy Protection Act (COPPA) was passed by Congress in 1998. COPPA required the Federal Trade Commission (FTC) to issue and enforce regulations concerning children’s online privacy. COPPA was designed to protect children under age 13 and place parents in control over what information is collected from their young children online. Sites, apps, games and other online services that are directed to children under 13 years old need parental consent before collecting personal information from children under 13. The COPPA rule also applies to general audience sites and apps that know they are collecting personal information from kids. Usually kids are asked to provide their parents email when registering on a site / app in order for the service to provide notice of its data collection needs and to get the proper level of parental consent.

California Consumer Privacy Act (CCPA)

united-states  USA (California)

 

Under the law that went into effect Jan. 1, 2021, Californians can demand that companies tell them what information they've collected about them, and to delete and no longer sell their personal information. The law extends extra protections for teens up to age 16, prohibiting companies from selling their data unless explicitly given permission.

CPRA

united-states  USA (California)

The CPRA amends and expands the California Consumer Privacy Act (CCPA)—California’s current privacy law that itself is nearly brand new. Most of the CPRA’s substantive provisions will not take effect until January 1, 2023. However, the CPRA’s expansion of the “Right to Know” impacts personal information (PI) collected during the ramp-up period, on or after January 1, 2022. In short, CPRA strengthens the rights of California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA), among key changes to the Golden State’s data privacy regime.

 It includes:
a. New criteria for which businesses are regulated;
b. New category of “sensitive personal information”;
c. New and expanded consumer privacy rights:

Brand-new rights
Right to Correction. Consumers may request any correction of their PI held by a business if that information is inaccurate.
Right to Opt Out of Automated Decision Making Technology. The CPRA authorizes regulations allowing consumers to opt out of the use of automated decision making technology, including “profiling,” in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Right to Access Information About Automated Decision Making. The CPRA authorizes regulations allowing consumers to make access requests seeking meaningful information about the logic involved in the decision making processes and a description of the likely outcome based on that process.
Right to Restrict Sensitive PI. Consumers may limit the use and disclosure of sensitive PI for certain secondary purposes, including prohibiting businesses from disclosing sensitive PI to third parties, subject to certain exemptions.
Audit Obligations. The CPRA authorizes regulations that will require mandatory risk assessments and cybersecurity audits for high-risk activities. The risk assessments must be submitted to the newly established California Privacy Protection Agency (see below) on a “regular basis.”

Modified rights

Modified Right to Delete. Businesses are now required to notify third parties to delete any consumer PI bought or received, subject to some exceptions.
Expanded Right to Know. The PI that must be reflected in a “Right to Know” response is expanded to include, for valid requests, PI collected beyond the prior 12 months, if collected after January 1, 2022.
Expanded Right to Opt Out. The CCPA already grants consumers the right to opt out of the sale of their PI to third parties, which implicitly includes sensitive PI; however, the opt-out right now covers “sharing” of PI for cross-context behavioral advertising as outlined below.
Strengthened Opt-In Rights for Minors. Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it.
Expanded Right to Data Portability. Consumers may request that the business transmit specific pieces of PI to another entity, to the extent it is technically feasible for the business to provide the PI in a structured, commonly used and machine-readable format.

d. Directly regulates the sharing of PI for cross-context behavioral advertising
e. Creates a new privacy enforcement authority
f. Adopts certain GDPR principles
g. Service providers and contractors: The CPRA amends the definition of “service provider” and introduces “contractors,” a new category of recipients of PI who process PI made available to them by businesses pursuant to a written contract.
i. New consent standard
j. Data breaches and private right of action
General Data Protection Regulation (GDPR)

european-union  Europe (EU)

The GDPR went into effect May 25, 2018. The regulation focuses on providing data protection and privacy for all individuals within the European Union and all individuals whose data is processed by an EU controller regardless of location. It also includes special protections for children’s data. Recital 38 protects young users because they may be less aware of the risks, consequences and safeguards concerned with marketing. The GDPR sets the age of consent at 16, but individual member states may lower this as far as 13. A child below the age of consent cannot provide consent for themselves. When consent is the lawful basis for processing a child’s data reasonable efforts to verify that the person giving consent is old enough to do so, are required. Online services must obtain consent from the holder of parental responsibility for the child. View the Age of Digital Consent Map to see the age determined by each EU member state.

ICO’s Children’s Code

united-kingdom  UK

"The Children’s Code (or the Age Appropriate Design Code) contains 15 standards that online services such as apps, online games, and web and social media sites, need to follow. This ensures they are complying with the their obligations under data protection law to protect children’s data online.
It came into force on 2 September 2020 with a 12 month transition period to give organisations time to prepare. The code applies to UK-based companies and non-UK companies who process the personal data of UK children."

Virginia Consumer Data Protection Act (CDPA)

united-states  US (Virginia)

The CDPA establishes rights for Virginia consumers to control how companies use individuals’ personal data by granting residents the rights to access, correct, delete, know, and opt-out of the sale and processing for targeted advertising purposes of their personal information, similar to the CCPA. The CDPA was signed into law on March 2, 2021, but it will not go into effect until January 1, 2023.

Personal Information and Electronic Documents Act (PIPEDA)

canada  Canada

"PIPEDA is Canada’s federal private sector privacy law. Organizations covered by PIPEDA must generally obtain an individual's consent when they collect, use or disclose that individual's personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy.

Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Personal information must be protected by appropriate safeguards."

Illinois Biometric Information Privacy Act (BIPA)

united-states  US (Illinois)

Under BIPA, a private entity cannot collect, capture, purchase, receive through trade or otherwise obtain a person’s biometric identifier or biometric information without: (a) informing the subject in writing that a biometric identifier or biometric information is being collected or stored; (b) informing the subject in writing of the specific purpose and duration for which it is being collected, stored and used; and (c) receiving the subject’s written consent. BIPA also requires that private entities that possess biometric identifiers or biometric information. the most significant aspect of BIPA is that it provides a private right of action for individuals harmed by BIPA violations and statutory damages up to $1,000 for each negligent violation and up to $5,000 for each intentional or reckless violation. The statute itself does not contain a statute of limitations.
FERPA

united-states  US

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
PPRA (Protection of Pupil Rights Amendment)

united-states  US

"The Protection of Pupil Rights Amendment (PPRA) is a federal law that affords certain rights to parents of minor students with regard to surveys that ask questions of a personal nature. Briefly, the law requires that schools obtain written consent from parents before minor students are required to participate in any U.S. Department of Education funded survey, analysis, or evaluation that reveals information concerning certain areas.

The No Child Left Behind Act of 2001 contains a major amendment to PPRA that gives parents more rights with regard to the surveying of minor students, the collection of information from students for marketing purposes, and certain non-emergency medical examinations. In addition, an eight category of information (*) was added to the law. "
Student Online Personal Information Protection Act (“SOPIPA”)

united-states  US (California)

The Student Online Personal Information Protection Act (“SOPIPA”) was passed in 2014 in California and went into effect in 2016. SOPIPA is considered by many to be the most comprehensive student data privacy legislation in the United States that specifically addresses the changing nature of technology usage in schools by putting responsibility for compliance on the edtech industry.

SOPIPA is aimed at protecting the privacy and security of student data. The law is unique in that it puts responsibility for protecting student data directly on industry by expressly prohibiting education technology service providers from selling student data, using that information to advertise to students or their families, or "amassing a profile" on students to be used for noneducational purposes. In addition, the law requires online service providers to ensure that any data they collect is secure and to delete student information at the request of a school or district. SOPIPA provides clear rules of the road to ensure children's information isn't exploited for commercial or harmful purposes, and it ensures that information stays out of the wrong hands. It also supports innovation and personalized learning, so schools and students can harness the benefits of technology. It makes the edtech companies who collect and handle students' sensitive information responsible for compliance; it applies whether or not a contract is in place with a school; and it applies to apps, cloud-computing programs, and all manner of online edtech services. The law also addresses security procedures and practices of covered information in order to protect information from unauthorized access, destruction, use, modification or disclosure.

California AB 1584, Education Code section 49073.1 – Privacy of Pupil Records: 3rd-Party Digital

united-states  US (California)

"(1) Gather or maintain only information that pertains directly to school safety or to pupil safety.
(2) Provide a pupil with access to any information about the pupil gathered or maintained by the school district, county office of education, or charter school that was obtained from social media, and an opportunity to correct or delete such information.
(3) (A) Destroy information gathered from social media and maintained in its records within one year after a pupil turns 18 years of age or within one year after the pupil is no longer enrolled in the school district, county office of education, or charter school, whichever occurs first.
(B) Notify each parent or guardian of a pupil subject to the program that the pupil’s information is being gathered from social media and that any information subject to this section maintained in the school district’s, county office of education’s, or charter school’s records with regard to the pupil shall be destroyed in accordance with subparagraph (A). The notification required by this subparagraph may be provided as part of the notification required pursuant to Section 48980. The notification shall include, but is not limited to, all of the following:
(i) An explanation of the process by which a pupil or a pupil’s parent or guardian may access the pupil’s records for examination of the information gathered or maintained pursuant to this section.
(ii) An explanation of the process by which a pupil or a pupil’s parent or guardian may request the removal of information or make corrections to information gathered or maintained pursuant to this section.
(C) If the school district, county office of education, or charter school contracts with a third party to gather information from social media on an enrolled pupil, require the contract to do all of the following:
(i) Prohibit the third party from using the information for purposes other than to satisfy the terms of the contract.
(ii) Prohibit the third party from selling or sharing the information with any person or entity other than the school district, county office of education, charter school, or the pupil or his or her parent or guardian.
(iii) Require the third party to destroy the information immediately upon satisfying the terms of the contract.
(iv) Require the third party, upon notice and a reasonable opportunity to act, to destroy information pertaining to a pupil when the pupil turns 18 years of age or is no longer enrolled in the school district, county office of education, or charter school, whichever occurs first. The school district, county office of education, or charter school shall provide notice to the third party when a pupil turns 18 years of age or is no longer enrolled in the school district, county office of education, or charter school. Notice provided pursuant to this clause shall not be used for any other purpose."
K-12 Cybersecurity Act of 2021

united-states  US

The K–12 Cybersecurity Act of 2021, the federal government’s first foray into K-12 cybersecurity, was passed into law in an effort to aid student data security. The law charges the director of the Cybersecurity and Infrastructure Security Agency (CISA) to bring together a team and gather appropriate stakeholder input from K-12 schools around the US over a four-month period, then consolidate that knowledge into a set of cybersecurity guidelines over the next two months, followed by the development of an online toolkit to assist school districts as they strengthen their digital security environment.

California Age-Appropriate Design Code Act (AADCA)

united-states  US (California)

 

California passed the bill for its Age-Appropriate Design Code Act (AADC). In the world of children’s privacy it is expected to have a global impact. Modeled on the UK’s Children ‘s Code it requires privacy by design in all online services for children or that attract a large child audience, children being users under 18 years old. 

Companies will need to make fundamental changes to comply or face significant fines of up to $7,500 per affected child. It will be enforced by the state attorney general. The law was set to go into effect on July 1, 2024 but it is on hold, due to a  preliminary injunction.

Here’s some of the key requirements that will need to be addressed at a high level:

  • Establish the age range of younger users to treat them appropriately.
  • Provide mechanisms for children to report their privacy concerns.
  • Provide age appropriate and clear privacy notices for children.
  • Algorithms that exploit children’s data to serve the harmful content are prohibited.
  • Precise location tracking is prohibited unless necessary for the operation of the service.
  • Transparency on location tracking is required i.e., include clear messaging to a child that it is on.
  • Do not sell children’s data unless it is essential to the service and do not profile children to serve targeted ads.
  • Only use data for the purpose it was collected.
  • Ensure data minimization, if the data is not needed for a specific and legitimate purpose then don’t collect it.
Privacy Act ,1988

australia  Australia

The Privacy Act 1988 protects an individual’s personal information regardless of their age. It doesn’t specify an age after which an individual can make their own privacy decision. For their consent to be valid, an individual must have capacity to consent.

An organization or agency handling the personal information of an individual under the age of 18 must decide if the individual has the capacity to consent on a case-by-case basis. As a general rule, an individual under the age of 18 has the capacity to consent if they have the maturity to understand what’s being proposed. If they lack maturity, it may be appropriate for a parent or guardian to consent on their behalf.

If it’s not practical for an organization or agency to assess the capacity of individuals on a case-by-case basis, as a general rule, an organization or agency may assume an individual over the age of 15 has capacity, unless they’re unsure.

Review the Privacy Act 1988

 Minor Protection in Social Media Act

united-states  US (Utah)

 

In early March of 2024, the Utah legislature repealed and replaced the Utah Social Media Regulation Act with SB 194 and HB 464. Utah lawmakers amended the Act in response to a lawsuit filed by an Internet trade association challenging the Act on constitutional grounds. Governor Cox signed the new bills into place on March 13, 2024.

HB 464 repeals the Utah Social Media Regulation Act completely and introduces a new provision allowing a private right of action for any harm to minors on their mental health caused by excessive use of a social media platform's algorithmically curated social media service.

SB 194, known as the Minor Protection in Social Media Act, enacts provisions related to age assurance and specific requirements a social media company shall do for Utah minor* account holders that include:

  • Setting default privacy settings to prioritize maximum privacy.
  • Offer supervisory tools for a Utah minor account holder that the Utah minor account holder may decide to activate.
  • Verifiable parental consent.

*Minor means an individual under 18 years old.

Despite the Utah legislators' efforts to revise the law, it is important to note that HB 464 and SB 194 are facing opposition from trade associations and think tanks who believe that they still raise constitutional concerns. NetChoice has provided testimony against HB 464 here and SB 194 here.  The U.S. District Court granted NetChoice's request for a preliminary injunction on September 10, 2024, while their case moves through the legal system.

Virginia Consumer Data Protection Act (CDPA)

united-states  US (Virginia)

 

The Virginia Consumer Data Protection Act (CDPA) was introduced on January 1, 2021 to the House of Delegates and was signed into law by Governor Ralph Northam on March 2, 2021. The CDPA is scheduled to go into effect on January 1, 2023.

The CDPA became the second comprehensive data privacy law to be adopted in the US after the CCPA. While the CCPA and CDPA share similarities when it comes to data privacy and protection, some important differences remain

The CPDA currently applies to for-profit entities that:

(i) conduct business in Virginia or offer products or services targeted to residents in Virginia and,

(ii) control or process the data of at least 100,000 consumers or,

(iii) control or process the data of at least 25,000 consumers and derive more than 50% of revenue from the sale of personal data.

This regulation introduced the following consumer rights:

  • Right to know, access, and confirm
  • Right to deletion
  • Right to opt-out of sale (defined as the exchange of personal data for monetary consideration)
  • Right to opt-out of processing for targeted advertising
  • Right to opt-out of profiling
  • Right to nondiscrimination
  • Right to data portability
  • Right to rectification/correction

Children
Sensitive data is provided greater protection and includes personal data collected from children. Businesses that comply with verifiable parental consent requirements under the Children’s Online Privacy Protection Act are deemed compliant with the CDPA obligations to obtain parental consent.

Connecticut Data Privacy Act (CDPA)

united-states  US (Connecticut)

 

The Connecticut Data Privacy Act (CTDPA), which will go into effect July 1, 2023, is now the fifth and latest comprehensive state consumer privacy law.  

The CTDPA has many similarities with other states (California, Virginia, Colorado and Utah) that have passed consumer privacy laws, but is most similar to the Virginia Consumer Data Privacy Act (VCDPA) and the Colorado Privacy Act (CPA), which are more consumer-oriented  

The CTDPA applies to persons conducting business in Connecticut or producing products or services targeted to Connecticut residents, and who during the preceding calendar year either: 

  • Controlled or processed the personal data of 100,000 or more consumers annually, except for personal data controlled or processed solely for the purpose of completing a payment transaction. 
  • Derived over 25 percent of their gross revenue from the sale of personal data and controlled or processed the personal data of 25,000 or more consumers.3 

 

In addition to requiring businesses to respond to consumer requests regarding their personal data described above, this law creates further affirmative obligations for businesses, including that they must: 

  • Minimize the collection of personal data and refrain from processing personal data for purposes not disclosed to the consumer (unless the business has otherwise obtained consumer consent); 
  • Establish and maintain reasonable technical and physical data security practices to protect personal data; and 
  • Provide Connecticut residents with a privacy notice describing the categories of personal data processed and the purpose of the processing, if the entity shares or sells personal data with third parties, and how the consumer may exercise their right to access, modify, delete, or opt-out of the business’s use of personal data for targeted advertising or sale. 

CTDPA and Data of Minors
Specifically, controllers and processors that comply with the requirements of the Children’s Online Privacy Protection Act (COPPA) are compliant with any parental consent requirements of the CTDPA. The Controller cannot process personal data for purposes of selling or targeted advertising, without the Consumer's consent when knowing the Consumer is between 13 and 16 years old. 

The CTDPA also mandated that the General Assembly will convene a task force to study available ways to "verify the age of a child who creates a social media account." 

This law does not create private right of action for consumers, but instead invests exclusive enforcement authority in the Connecticut Attorney General. During the first two years of implementation, the Attorney General must issue a notice of violation and permit the business an opportunity to cure the violation within 60 days of notice. Beginning in 2025, however, the opportunity to cure is no longer guaranteed. 

The Data Protection Act 2018

united-kingdom  UK

 

The Data Protection Act 2018 controls how your personal information is used by organizations, businesses or the government. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). 

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is: 

  • used fairly, lawfully and transparently 
  • used for specified, explicit purposes 
  • used in a way that is adequate, relevant and limited to only what is necessary 
  • accurate and, where necessary, kept up to date 
  • kept for no longer than is necessary 
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage 

There is stronger legal protection for more sensitive information, such as: 

  • race 
  • ethnic background 
  • political opinions 
  • religious beliefs 
  • trade union membership 
  • genetics 
  • biometrics (where used for identification) 
  • health 
  • sex life or orientation 

There are separate safeguards for personal data relating to criminal convictions and offences. 

Your rights 

Under the Data Protection Act 2018, you have the right to find out what information the government and other organizations store about you. These include the right to: 

  • be informed about how your data is being used 
  • access personal data 
  • have incorrect data updated 
  • have data erased 
  • stop or restrict the processing of your data 
  • data portability (allowing you to get and reuse your data for different services) 
  • object to how your data is processed in certain circumstances 

You also have rights when an organization is using your personal data for: 

  • automated decision-making processes (without human involvement) 
  • profiling, for example to predict your behavior or interests 

Make a complaint  

If you think your data has been misused or that the organization holding it has not kept it secure, you should contact them and tell them.

 

If you’re unhappy with their response or if you need any advice you should contact the Information Commissioner’s Office (ICO). 

ICO
icocasework@ico.org.uk
Telephone: 0303 123 1113
Textphone: 01625 545860
Monday to Friday, 9am to 4:30pm

Find out about call charges 

 

Information Commissioner’s Office
Wycliffe House Water Lane
Wilmslow
Cheshire
SK9 5AF  

 

You can also chat online with an advisor

The ICO can investigate your claim and take action against anyone who’s misused personal data. 

You can also visit their website for information on how to make a data protection complaint

The Privacy and Electronic Communications Regulations (PECR) 

united-kingdom  UK

 

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications. There are specific rules on: 

  • marketing calls, emails, texts and faxes; 
  • cookies (and similar technologies); 
  • keeping communications services secure; and 
  • customer privacy as regards traffic and location data, itemized billing, line identification, and directory listings. 

 

ICO has several ways of taking action to change the behavior of anyone who breaches PECR. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner can also serve a monetary penalty notice imposing a fine of up to £500,000 which can be issued against the organization or its directors. 

These powers are not mutually exclusive. 

PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies. 

 

You will often need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask customers to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you. 

 

PECR have been amended a number of times. Click here for updates. 

 

Texas SCOPE

united-states  US (Texas)

 

The Texas SCOPE Act (H.B. 18), which stands for the Securing Children Online through Parental Empowerment, is designed to protect minor children (under 18) from harmful content and data collection practices. Part of the act went into effect on September 1, 2024. This new law primarily applies to digital services that provide an online platform for social interaction between users that: (1) allow users to create a public or semi-public profile to use the service, and (2) allow users to create or post content that can be viewed by other users of the service. This includes digital services such as message boards, chat rooms, video channels, or a main feed that presents users content created and posted by other users. 

The Act mandates strict age registration and verification for minors on covered digital services, particularly large social networks. Covered digital services may need to obtain parental consent for users under 18, and give parents more tools to monitor their children’s online interactions. The Act includes limiting data collection, banning targeted advertising, and not allowing financial transactions without parental consent. 

However, the Act has faced significant legal challenges, and a partial injunction has been imposed by a U.S. District Judge on August 30, 2024, temporarily pausing the implementation of the “monitoring and filtering” requirements due to concerns about privacy, free speech, and the feasibility of enforcement.
Arkansas Social Media Safety Act

united-states  US (Arkansas)

 

The Data Protection Act 2018 controls how your personal information is used by organizations, businesses or the government. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). 

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is: 

  • used fairly, lawfully and transparently 
  • used for specified, explicit purposes 
  • used in a way that is adequate, relevant and limited to only what is necessary 
  • accurate and, where necessary, kept up to date 
  • kept for no longer than is necessary 
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage 

There is stronger legal protection for more sensitive information, such as: 

  • race 
  • ethnic background 
  • political opinions 
  • religious beliefs 
  • trade union membership 
  • genetics 
  • biometrics (where used for identification) 
  • health 
  • sex life or orientation 

There are separate safeguards for personal data relating to criminal convictions and offences. 

Your rights 

Under the Data Protection Act 2018, you have the right to find out what information the government and other organizations store about you. These include the right to: 

  • be informed about how your data is being used 
  • access personal data 
  • have incorrect data updated 
  • have data erased 
  • stop or restrict the processing of your data 
  • data portability (allowing you to get and reuse your data for different services) 
  • object to how your data is processed in certain circumstances 

You also have rights when an organization is using your personal data for: 

  • automated decision-making processes (without human involvement) 
  • profiling, for example to predict your behavior or interests 

Make a complaint  

If you think your data has been misused or that the organization holding it has not kept it secure, you should contact them and tell them.

 

If you’re unhappy with their response or if you need any advice you should contact the Information Commissioner’s Office (ICO). 

ICO
icocasework@ico.org.uk
Telephone: 0303 123 1113
Textphone: 01625 545860
Monday to Friday, 9am to 4:30pm

Find out about call charges 

 

Information Commissioner’s Office
Wycliffe House Water Lane
Wilmslow
Cheshire
SK9 5AF  

 

You can also chat online with an advisor

The ICO can investigate your claim and take action against anyone who’s misused personal data. 

You can also visit their website for information on how to make a data protection complaint

Submit an Additional Resource