Over the past few months, I’ve been investigating something that should concern all of us when we surf or buy online — especially when we’re using online pharmacies.
What started as a suspicious targeted advert referencing one of my prescription medicines led me to uncover what I believe are serious, ongoing data protection and ePrivacy issues involving large online pharmacy Pharmacy2U, and other online retailers
What I Found
Using standard browser tools, I discovered that:
- Personal data — including names, email addresses, customer IDs and search queries — is being disclosed to external companies without consent.
- These transmissions occurred even after rejecting all non‑essential cookies. Relying on the "strictly necessary" exemption for this is unlawful as it defies the minimisation principle.
- Data is sent to third-party companies including Data Brokers, sometimes in clear text.
- Email addresses are a notorious tracking vector allowing individuals' activity to be tracked thoughout the web. This evades the third-party cookie blocking protections supported by some browsers.
- Data was forwarded server‑to‑server using scripts designed to avoid browser‑level visibility, and avoid the tracking protection available in browsers such as Safari.
- Sending data this way evades the inadequate controls that the less advanced CMPs use to restrict illegal disclosures.
- Personal data is retained in browser storage accessable to other third-party script providers.
These are not obscure technical edge cases. They are routine interactions that any customer could trigger simply by logging in or searching for a product.
Why This Matters
Online pharmacies handle some of the most sensitive categories of personal data. Trust is essential. When data is shared with third parties — especially data brokers — without clear consent or transparency, the risks are obvious:
- Loss of privacy, leading to consumers' economic disadvantage & loss of autonomy
- Targeted advertising & surveillance pricing based on health conditions or other data collected by data brokers
- Increased exposure to scams, identity misuse, and profiling
Other online retailers and Direct To Consumer websites exhibit similar personal data disclosure
This isn’t just a technical issue. It’s a public‑interest issue.
What I Did Next
I submitted data subject access requests (DSARs) and raised concerns directly with the company. Months later, I still have not received the legally required information about:
- The purposes of the processing
- The legal bases relied upon
- The full list of third‑party recipients
Some issues were partially fixed in March and April 2026 — but not all. Evidence shows email addresses & other data continue to be shared with other entities, including a US based data broker
Escalating to the ICO
Given the scale of the issue, the sensitivity of the data involved, and the potential impact on millions of UK residents, I have now submitted a formal complaint to the Information Commissioner’s Office.
I’ve provided:
- Technical evidence
- Screenshots
- Cookie‑scan reports
- Correspondence
- Examples and explanation of the data flows observed
I’ve also offered to meet with the ICO to walk through the findings.
Why I’m Sharing This
Transparency matters. Digital health services only work when people trust them. If organisations fall short of their responsibilities, it’s important that the public knows — and that regulators have the opportunity to act.
I’ll share updates as the ICO reviews the case.
If you work in digital health, data protection, or online services, I’d welcome your thoughts. This is a conversation we need to have.