How to File a Data Privacy Complaint (2026)

Filing a data privacy complaint costs nothing, takes as little as fifteen minutes, and gives regulators the enforcement trigger they need to investigate companies that routinely ignore consumer rights. The right filing channel depends entirely on which law was broken and where you live.

Step 1: Identify Which Law Was Violated

Before you choose a filing portal, figure out which legal framework applies. The question is not where the company is headquartered but which law governs the data at issue and which regulator has authority to act.

California residents and CCPA/CPRA. If you are a California resident and a company covered by the California Consumer Privacy Act or its 2020 CPRA amendments failed to honor a rights request, disclosed your data after you opted out, or processed your sensitive personal information without proper authorization, the primary enforcers are the California Privacy Protection Agency (CPPA) and the California Attorney General.

Health data and HIPAA. If a doctor, hospital, health plan, health-data clearinghouse, or their business associates mishandled your medical records or disclosed your protected health information without authorization, the governing law is the Health Insurance Portability and Accountability Act (HIPAA). The sole federal enforcement channel is the HHS Office for Civil Rights (OCR). This is also the most time-sensitive path: you have only 180 days from when you learned of the violation.

Comprehensive state law residents (Virginia, Colorado, Connecticut, Texas, and others). If you live in a state with a comprehensive consumer data privacy law and a covered business refused your access, deletion, correction, or opt-out request, your complaint goes to that state's Attorney General. As of mid-2026, states with active consumer complaint portals include Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Texas (TDPSA). See how these laws compare for an overview of which rights each state provides.

Any deceptive or unfair data practice and the FTC. The Federal Trade Commission enforces Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices across most for-profit industries. If a company promised one data practice in its privacy policy and delivered another, or if it failed to secure your data in a way that caused harm, a report to ReportFraud.ftc.gov is always appropriate as a parallel filing regardless of which other channel you use.

EU and EEA residents and GDPR. If you are located in a European Union or European Economic Area country and a company subject to the General Data Protection Regulation violated your rights (including the right to access, erasure, or objection), you file under GDPR Article 77 with your national Data Protection Authority (DPA). For more background on how GDPR works, see EU Data Privacy Laws.

When violations overlap multiple frameworks, file with each applicable authority separately. Parallel complaints are expressly permitted, and a company that sees simultaneous inquiries from both the FTC and a state AG tends to respond more quickly.

California: Filing with the CPPA and the California AG

California operates a two-body enforcement system that is unique among US states. Understanding which body handles your complaint prevents wasted time.

The California Privacy Protection Agency (CPPA) is the primary enforcer for CCPA and CPRA violations that occurred on or after July 1, 2023. The CPPA is an independent agency created specifically to administer and enforce the CPRA amendments. Its online complaint portal is at cppa.ca.gov/webapplications/complaint. A paper form is also available at cppa.ca.gov/pdf/paper-complaint.pdf for those who prefer a non-digital submission.

Before you file, know what the CPPA can and cannot do for you personally. The agency does not represent individual consumers and cannot act as your attorney. Its mission is systemic: it uses consumer complaints to monitor industry compliance trends, identify companies that repeatedly violate the law, and initiate formal investigations or audits. You may file anonymously (an unsworn complaint), but if you do, the agency cannot follow up with you about the outcome. If you want to stay informed about what happens with your complaint, provide your name and contact information and file a sworn complaint. For an overview of the specific rights you can assert before filing, see CCPA Opt-Out Rights.

The California Attorney General handles CCPA complaints involving violations that occurred before July 1, 2023, and retains concurrent jurisdiction over certain categories of violations even after the CPPA took primary authority. The AG's consumer complaint portal is at oag.ca.gov/contact/consumer-complaint-against-business-or-company. The AG's office covers a wide range of CCPA violations: failure to respond to consumer rights requests, improper denial of access or deletion requests, discrimination against consumers for exercising their rights, missing or deficient privacy notices, and continued selling or sharing of data after you submitted an opt-out request.

The CCPA private right of action: the narrow exception. California Civil Code section 1798.150 gives you a direct right to sue, but only in a very specific situation: a company's failure to maintain reasonable security practices must have allowed your nonencrypted and nonredacted personal information to be exposed in a breach. If that happened, you can seek statutory damages of $100 to $750 per consumer per incident, or your actual damages if they are higher. Before you can file suit, you must give the business a 30-day written notice and opportunity to cure. All other CCPA violations (failed access requests, ignored opt-outs, missing privacy policies) are enforced exclusively by the CPPA or the AG, not by individual consumers in court.

Other State Privacy Laws: Filing with Your State Attorney General

Virginia, Colorado, Connecticut, and Texas each have comprehensive consumer data privacy laws, and each law names the state AG as the sole enforcement authority. None of these laws provide a private right of action, which means you cannot sue a covered business directly.

Virginia (VCDPA). File with the Virginia Attorney General's Consumer Privacy Unit at oag.state.va.us/consumer-protection/index.php/file-a-complaint. As of February 2026, the AG's office is actively enforcing with no additional grace periods. The AG can seek civil penalties up to $7,500 per violation. For a full description of your rights before you file, see VCDPA Consumer Rights.

Colorado (CPA). File at coag.gov/file-a-complaint/data-privacy-data-breach/ or call the Colorado AG's consumer hotline at 800-222-4444. The AG's office asks that you identify which CPA right you believe was violated, provide the company's name and contact information, and include the relevant dates of your request and any denial. For more on what the CPA requires of businesses, see CPA Consumer Rights.

Connecticut (CTDPA). File through the AG's e-complaint form at dir.ct.gov/ag/complaint/, selecting "Consumer Data Privacy" from the subject dropdown so the complaint routes to the right unit. In 2025, the Connecticut AG's office processed close to 70 formal CTDPA complaints; the most common issue was businesses refusing or obstructing consumer deletion requests. The office also issued 63 warning letters that year. If you are a Connecticut resident asserting your rights, see CTDPA Consumer Rights before filing.

Texas (TDPSA). The Texas Data Privacy and Security Act took effect July 1, 2024, and the Texas AG operates a dedicated complaint portal at texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act. Since the portal launched, it has received over 2,000 complaints. Complete the form in a single session: the portal does not support saving a draft and returning. Have the business's full name, address, and contact information ready before you start. For a breakdown of what the TDPSA requires, see TDPSA Consumer Rights.

If you live in a state not listed above, check your state AG's website for a general consumer complaint form. Many states without a dedicated data privacy law can still act on deceptive or unfair trade practices under state consumer protection statutes, and an FTC report remains available regardless.

Federal: Reporting to the FTC

The Federal Trade Commission is the federal government's general-purpose data privacy enforcer. Its authority comes from Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. A company that collects far more data than it disclosed in its privacy policy, shares data with third parties it said it would not share with, or fails to secure data in a way that exposes consumers to harm can all face FTC action.

Submit reports at ReportFraud.ftc.gov. The FTC does not investigate every individual report, and it does not award you money from its enforcement actions. What it does do is build a searchable Consumer Sentinel database from millions of individual reports, which its investigators use to identify patterns, prioritize targets, and build cases. Recent examples of FTC data privacy enforcement include action against Kochava in May 2026 for selling sensitive location data and against Illuminate Education in June 2026 for failing to adequately secure student data.

The FTC's jurisdiction has important carve-outs. It does not cover common carriers (regulated by the FCC), non-profit organizations, financial institutions subject to the Gramm-Leach-Bliley Act, or healthcare entities subject to HIPAA. If your complaint involves a bank, insurance company, or healthcare provider, the primary channel is a sector-specific regulator, not the FTC. That said, filing with the FTC in parallel to your primary complaint costs nothing and may be useful if the same company engages in deceptive data practices across multiple contexts.

Health Data: Filing a HIPAA Complaint with HHS OCR

If your complaint involves a healthcare provider, health plan, pharmacy benefit manager, or another HIPAA-covered entity mishandling your protected health information, the filing channel is the HHS Office for Civil Rights. This path has the most important deadline in the entire data privacy complaint landscape.

The 180-day rule. HIPAA requires that you file your complaint with OCR within 180 days of when you knew that the act or omission occurred. OCR may extend this deadline for good cause, but good cause is not automatic and requires you to explain the delay. If you miss the deadline without a waiver, OCR cannot process your complaint. Do not wait.

How to file. The fastest method is the online OCR Complaint Portal at ocrportal.hhs.gov. You can also submit by email to OCRComplaint@hhs.gov or by mail to: Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue SW, Washington, DC 20201.

What to include. Identify the covered entity (doctor, hospital, health plan) by name and address, describe the violation and when it occurred, and describe how the HIPAA Privacy Rule or Security Rule was broken. Attach any relevant communications: the letter your provider sent you about a breach, a denial of your request for medical records, or evidence of an unauthorized disclosure.

Realistic outcomes for HIPAA. HIPAA does not create a private right of action. You cannot sue a HIPAA-covered entity directly for a HIPAA violation in federal court. OCR can impose civil monetary penalties ranging from $100 per violation for unknowing violations up to $50,000 or more per violation for willful neglect, and the U.S. Department of Justice handles criminal referrals for knowing, intentional violations. Those penalties go to the government, not to you. Some states have separate health privacy laws that do allow private suits (California's Confidentiality of Medical Information Act, or CMIA, is one example) but HIPAA itself does not.

HIPAA also prohibits retaliation against anyone who files a complaint. If you experience adverse action from a covered entity because you filed with OCR, that retaliation is itself a HIPAA violation you can report.

EU Residents: Filing Under GDPR with Your National DPA

Every person in the EU and EEA has a statutory right under GDPR Article 77 to lodge a complaint with a national supervisory authority, called a Data Protection Authority (DPA). You can file with the DPA in your country of habitual residence, your country of employment, or the country where the alleged infringement took place.

Finding your DPA. The European Data Protection Board (EDPB) maintains a complete directory of all national DPAs at edpb.europa.eu/about-edpb/about-edpb/members_en. Key authorities include:

• Ireland: Data Protection Commission (dataprotection.ie). The lead DPA for most major US tech firms with EU headquarters in Ireland, including Meta, Google, Apple, and LinkedIn.
• France: Commission Nationale de l'Informatique et des Libertes (cnil.fr). One of the most active DPAs in Europe and the lead for French-domiciled companies.
• Germany: Federal Commissioner for Data Protection and Freedom of Information (bfdi.bund.de). Germany also has state-level DPAs with jurisdiction over certain matters.
• United Kingdom: Information Commissioner's Office (ico.org.uk). The UK left the EU, so UK GDPR is now a separate domestic law enforced by the ICO independently of the EDPB.

The one-stop-shop mechanism. Under GDPR Article 60, when a company processes data across multiple EU member states, the DPA where the controller has its principal place of business serves as the Lead Supervisory Authority (LSA) and coordinates the response with other Concerned Supervisory Authorities (CSAs). In practical terms, if you are a French resident complaining about a company whose EU headquarters is in Ireland, you can file with the CNIL but the DPC Ireland will likely lead the investigation. You are never required to file with a foreign DPA directly; your local DPA accepts your complaint and handles the coordination.

Cross-border cases involving the one-stop-shop can take years to resolve due to the coordination requirements between national authorities. Filing locally is still worth doing: your complaint enters the system, gets shared with the LSA, and contributes to the enforcement record the EDPB uses when publishing cross-border case outcomes.

What to Include in Your Complaint

Every major complaint portal (CPPA, California AG, Colorado AG, Connecticut AG, Texas AG, FTC, HHS OCR, and national DPAs) requires essentially the same information. Gather the following before you start:

Your contact information. Name, mailing address, email address, and phone number. If you file anonymously, understand that the agency typically cannot follow up with you.

The company's information. Full legal name, website URL, mailing address, and any customer service email or phone number you have used. If you are complaining about a data broker you have never directly interacted with, try to identify the company through your state's data broker registration registry if one exists.

A specific description of the violation. Describe which right was denied or which unlawful practice occurred. "They violated my privacy" is not enough. Identify the specific action: "I submitted a deletion request on [date] through [portal], the company did not respond within 45 days, and I never received a confirmation or denial."

Dates. When did the violation occur? When did you first learn of it? When did you submit a rights request? When did the company respond or fail to respond?

Documentation. Attach or upload copies of the rights request you sent and any response you received. If the company denied your request or ignored it, a screenshot of your submission confirmation and proof the deadline passed is valuable evidence. Take screenshots of the company's privacy policy before filing, since companies sometimes update policies after a complaint is lodged.

Your desired outcome. Many portals ask what outcome you are seeking. "Investigation," "enforcement action," or "require the company to honor my deletion request" are appropriate responses.

Realistic Outcomes: What Regulators Can and Cannot Do

Filing a data privacy complaint is a civic act as much as a personal one. Set realistic expectations before you file so the process does not feel like a failure if you do not receive direct compensation.

What regulators can do. The CPPA, state AGs, FTC, HHS OCR, and national DPAs can all: open formal investigations, demand documents and testimony from companies, issue civil investigative demands, impose civil monetary penalties (up to $7,500 per violation for state AGs, up to $50,000 per violation for HIPAA, substantial amounts for GDPR), order companies to change their data practices, mandate consumer notification programs, and publish enforcement actions publicly. Publication matters because it names companies that violated the law, creates reputational pressure, and alerts other consumers.

What regulators generally cannot do. Regulators do not award you personal damages from their administrative enforcement actions. When the FTC or an AG reaches a settlement with a company that violated consumer privacy rights, the resulting funds typically go to the government or, in some cases, a consumer remediation fund. If a remediation fund exists, affected consumers may receive notice and a claim form, but this process takes years and per-consumer payments are often nominal.

The exceptions: private rights of action. Where the law specifically creates a private right of action, you can sue the company yourself (or join a class action). The most significant example is California Civil Code section 1798.150, which allows individual Californians to sue for data-breach damages of $100 to $750 per incident. Some state wiretapping and electronic privacy laws also carry private rights of action, but the modern comprehensive state data privacy laws (VCDPA, CPA, CTDPA, TDPSA) do not.

Why filing still matters even without a damages award. Enforcement agencies are complaint-driven. A single complaint rarely triggers an investigation, but patterns do. When a company receives hundreds of complaints about the same practice, the CPPA or an AG's office notices. Some of the largest FTC consent orders and state AG settlements of the past decade started with a cluster of consumer reports that analysts noticed were describing the same unlawful behavior. Filing makes you part of that signal.

Related guides

• How to Submit a Data Deletion Request (2026)
• How to Opt Out of Data Brokers (2026)
• US State Privacy Laws Comparison Chart (2026)
• CCPA Opt-Out Rights: Do Not Sell or Share My Personal Information (2026)

Sources