The two key privacy laws in the EU are the General Data Protection Regulation (GDPR) and the e-Privacy Directive, and in the U.K. are the U.K. GDPR and the Privacy and Electronic Communications Regulations (PECR). GDPR applies to processing of personal data, and PECR applies to the setting of cookies and trackers on devices.

Over the past year or so, I have been advising many organizations that receive demand emails looking like this:

1. It has come to my attention that your website has placed a tracking script on my device. This happened as I loaded your webpage—that is, unilaterally and without consent.

2. The placement of such technologies constitutes an invasion of my privacy; it amounts to a violation of The Privacy and Electronic Communications (EC Directive) Regulations 2003 as well as the GDPR under English and EU law.

3. The insertion of the tracking script was wrongful and constituted an unjustified infringement of my right to privacy, amounting to a misuse of private information.

4. It appears you have chosen to do this cynically for your own commercial gain, unilaterally and without consent.

5. For any breach of PECR and GDPR, damages are payable under Regulation 30 PECR and Article 82 GDPR. This matter can be resolved before the courts; however, in the interest of avoiding an unnecessary use of court time in assessing unliquidated damages, I am open to settling this matter.

6. Please send your response within 14 days.