Are terms and conditions legally binding in the UK?

T&Cs are only binding if you had a genuine opportunity to read them before agreeing and the terms are fair under the Consumer Rights Act 2015. Unfair terms — those that create a significant imbalance to your detriment — are not binding even if you clicked "I agree". Under s.62 CRA 2015, you can rely on your statutory rights regardless of what the T&Cs say.

Can a company change their terms and conditions without notice?

Under the Consumer Rights Act 2015, a unilateral amendment clause — one that lets a company change T&Cs without your consent — may be unfair if it does not give you the right to cancel when terms change materially. Regulators including the CMA and FCA have taken action against companies using such clauses. The Digital Markets, Competition and Consumer Act 2024 strengthens these protections further.

What are my UK GDPR rights when I accept a privacy policy?

Under UK GDPR, you have the right to access your personal data (Art.15), correct inaccurate data (Art.16), erasure / right to be forgotten (Art.17), data portability (Art.20), and to object to processing (Art.21). These rights cannot be contracted away in a privacy policy. Consent must be freely given, specific, and unambiguous — pre-ticked boxes and vague "by using this service you agree" language are not valid consent.

What happens if a company's T&Cs are unfair?

Under the Consumer Rights Act 2015 s.62, unfair terms are not binding on consumers — you can ignore them. If a company tries to enforce an unfair term against you, you can report it to Trading Standards or the Competition and Markets Authority (CMA), which has power to take enforcement action. You can also use the Financial Ombudsman Service for financial services disputes.

22 February 2026

What Companies Hide in Their Privacy Policies (Your UK GDPR Rights)

Privacy policies are written to be unread. They are long, dense, and filled with legal language designed to give the impression of transparency while revealing as little as possible. But buried within them — and often not mentioned at all — are rights you have under UK GDPR (retained from the EU General Data Protection Regulation via the Data Protection Act 2018) that companies are legally required to respect.

Your Six Core UK GDPR Rights

1. Right of Access (Subject Access Request)

Under Article 15 UK GDPR, you have the right to request a copy of all personal data an organisation holds about you. This is called a Subject Access Request (SAR). The organisation must respond within one month (extendable by two months for complex requests). There is no charge for a SAR in most circumstances. Many companies make this process deliberately difficult — but failure to respond is a breach of UK GDPR that can be reported to the ICO.

2. Right to Erasure ('Right to Be Forgotten')

Under Article 17 UK GDPR, you can request that an organisation deletes your personal data in certain circumstances — for example, where the data is no longer necessary for the purpose it was collected, where you withdraw consent, or where the data has been unlawfully processed. This right is not absolute (it does not apply where the data is needed to comply with a legal obligation or for legal claims), but companies regularly refuse erasure requests that they are legally required to comply with.

3. Right to Rectification

If an organisation holds inaccurate data about you, Article 16 UK GDPR gives you the right to have it corrected without undue delay. This is particularly important for data held by credit reference agencies, insurance companies, and government bodies.

4. Right to Data Portability

Under Article 20 UK GDPR, where data is processed on the basis of your consent or a contract, and the processing is carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format — and to transmit it to another organisation. In practice, this allows you to take your data from one service provider to a competitor.

5. Right to Object

Under Article 21 UK GDPR, you have an absolute right to object to your data being used for direct marketing purposes — and the organisation must stop immediately, with no exceptions. You also have the right to object to processing based on legitimate interests, though this is not absolute.

6. Rights in Relation to Automated Decision-Making

If you are subject to a decision made solely by automated processing — such as a credit decision, insurance pricing, or job application screening — that has a significant legal or similarly significant effect on you, Article 22 UK GDPR gives you the right to request human review, to express your point of view, and to contest the decision.

What Companies Don't Tell You

Most privacy policies mention these rights somewhere — often in a single sentence at the bottom of a long document. What they rarely explain clearly:

How to actually exercise each right (what to write, where to send it)
The exact timeframes within which they must respond
That they cannot charge you for a SAR
That you can complain to the ICO for free if they fail to comply
That the ICO can issue fines of up to £17.5 million or 4% of global annual turnover for serious breaches

How to Enforce Your Rights

Send a written request to the organisation's data protection officer (their privacy policy must include contact details). If they fail to respond within the statutory timeframe or refuse a legitimate request, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk — free of charge. The ICO has enforcement powers and regularly acts on complaints.

Understand Any Privacy Policy in Seconds

Paste any privacy policy into WTFDidIJustAgree and get a plain-English breakdown of what data they collect, how they use it, who they share it with, and what rights they're quietly hoping you won't exercise.

Analyse This Privacy Policy →