ARTICLE
14 August 2025

Data, Decisions, And A New Direction: The ICO's 2024–25 Annual Report In Focus

LS
Lewis Silkin

Contributor

Lewis Silkin logo
We have two things at our core: people – both ours and yours - and a focus on creativity, technology and innovation. Whether you are a fast growth start up or a large multinational business, we help you realise the potential in your people and navigate your strategic HR and legal issues, both nationally and internationally. Our award-winning employment team is one of the largest in the UK, with dedicated specialists in all areas of employment law and a track record of leading precedent setting cases on issues of the day. The team’s breadth of expertise is unrivalled and includes HR consultants as well as experts across specialisms including employment, immigration, data, tax and reward, health and safety, reputation management, dispute resolution, corporate and workplace environment.
Explore Firm Details
In July 2025, the ICO published its Annual Report for 2024–25 – its final report under the 'ICO' name before transitioning to the Information Commission, as required by the Data (Use and Access) Act (DUAA) 2025.
United Kingdom Privacy
Zahra Laher and Michael Charalambous
Your Author LinkedIn Connections

In July 2025, the ICO published its Annual Report for 2024–25 – its final report under the 'ICO' name before transitioning to the Information Commission, as required by the Data (Use and Access) Act (DUAA) 2025. The report underscores a strategic shift towards high-impact regulation with particular focus on three key areas: (1) protecting children's privacy online; (2) providing individuals with "meaningful control" over online tracking; and (3) ensuring robust regulatory compliance for responsible AI innovation.

Alongside these headline priorities, the ICO reaffirmed its ongoing commitment to supporting SMEs, upholding individual rights through the enforcement of data protection laws, and supporting AI innovation – all while adapting to the evolving legislative landscape introduced by the DUAA. The report presents a compelling narrative that the ICO "has evolved to be fit to regulate a modern, data-driven society".

Below are some key takeaways from the report, which provide useful insight into the behind the scenes aspects of the ICO over the past year.

Regulatory focus and strategic priorities

The report reinforces the ICO's commitment to three strategic causes for priority work: children's privacy, AI and biometrics, and online tracking. These priorities, which have shaped its regulatory agenda over the past year, also form the foundation of its roadmap for the year ahead - signalling that these areas will remain central to the ICO's work going forward.

In parallel, the report emphasises the ICO's ongoing support for organisations in navigating compliance with data protection laws. It mentions that the ICO will continue to develop practical tools and publish guidance aimed at making compliance more accessible. The report reflects on recent initiatives including the Data Protection Audit Framework, the "direct marketing advice generator," and "advice for new start-ups," designed to help organisations embed "privacy right from the start." This approach evidences the ICO's continuing intention to work alongside organisations rather than simply regulate from a distance.

Looking ahead, the ICO also signals its plans to expand its online resources, including plans for "new and updated guidance" that organisations are encouraged to keep an eye on. Of course, a lot of guidance is already subject to update owing to the changes made by the DUAA (e.g. the ICO's guidance on automated decision making).

Children's Privacy

In its report, the ICO has reinforced its expectation on online platforms to prioritise the "best interests of children" when collecting and processing their personal data, recognising the necessity for safeguarding children in the "digital world".

Building on previous efforts – where the ICO reviewed 34 social media platforms and engaged with 10 to address concerns or secure improvements – the ICO remains committed to ensuring online platforms adhere to the requirements set out in the Age Appropriate Design Code (Children's Code). This includes:

  • providing an "age appropriate online experience";
  • refraining from the use of geolocation data in a manner that "puts a child at risk"; and
  • avoiding the targeting of children with personalised advertising.

This continued focus is reflected by several investigations referenced in the report, including "TikTok's use of children's personal information in their recommender systems," as well as inquiries into "Imgur and Reddit's use of children's personal information and age assurance."

As the report makes clear, safeguarding children's personal data will remain the ICO's top priority for the year ahead. The ICO will continue to scrutinise how online platforms handle children's personal data – reinforcing that the Children's Code serves as the benchmark for responsible and lawful data practices.

AI and Biometrics

Within the report, the ICO confirmed its commitment to supporting the government's "drive for growth and innovation". To achieve this, the ICO will continue to support businesses in fostering innovation and technology including creating initiatives such as tailored training programmes or "providing greater regulatory certainty through developing a code of practice for AI".

The report highlights the ICO's progress over the past 12 months including:

  • publishing guidance on individuals' rights in relation to AI (see here);
  • completing a public consultation on generative AI (see here); and
  • developing a regulatory sandbox to assist organisations to test emerging technologies whilst understanding compliance requirements.

Looking ahead, the ICO intends to build on its AI-related initiatives and have stated the following:

"Our growth letter to the government included an option of creating a new experimental regime to explore and test data-driven innovations. We will expand our current offering, if approved by government, to give businesses a time-limited derogation from regulatory requirements to test their new ideas, particularly in the use of AI." The ICO also has plans to "engage with key stakeholders to provide this certainty, build public trust in these technologies and prevent harm arising from [the use of AI]".

Over the coming months, we expect to see the ICO publish its strategy for regulating AI and biometrics and develop their statutory code of practice on AI and automated decision making.

Online Tracking

In 2024-25, the ICO actively focused on ensuring regulatory compliance related to online tracking and the use of cookies. As mentioned in the report, a key priority was ensuring website providers offer users with a fair and informed choice regarding the use of their personal data for targeted advertising. As part of this initiative, the ICO reviewed the UK's top 200 websites resulting in 52 websites improving cookie practices to meet compliance standards. This work was later expanded to a broader review of 1,000 websites, including, and as cited in the report, the enforcement action against Sky Betting and Gaming for "unlawfully processing" personal data "through advertising" without user consent.

For the year ahead, the ICO details its expectations for organisations to "give meaningful control over how they are tracked online". To encourage and promote compliance, and assist organisations in avoiding enforcement action, the ICO will adopt a multi-layered approach. Specifically, the report states that the ICO will promote compliance by:

  • clarifying how the law applies and our expectation in guidance and other publications;
  • engaging with industry to shape a more compliant and privacy-oriented ecosystem;
  • scrutinising the compliance of organisations across the online tracking ecosystem; and
  • investigating and enforcing against organisations that do not comply.

Regulatory Impact: Fines and Complaint Trends

The ICO imposed fines totalling £4.426 million (considerably lower compared to almost £16 million last year), and it is yet to collect around £25 million in fines (due to those under appeal). Out of the total figure, only £9,200 were GDPR fines (up from £7,600 the year prior), and £1.1 million were PECR fines. Note this does not include the recent £2.31 million fine imposed against 23andMe, as the report covers the period of 1 April 2024 – 31 March 2025 (and the 23andMe fine was imposed in June). These figures perhaps reflect an approach of risk-based enforcement (for which the ICO attracts criticism) as opposed to a more absolute style of enforcement that is occasionally espoused in the EU.

The ICO also received 42,315 data protection complaints an increase from 39,721 in 2023/24. Of these, 36,196 outcome decisions were reached, which sees an improvement in the ICO's advice and responsiveness from the previous year, where 35,332 outcome decisions were made.

To further enhance the efficiency of its complaint handling processes, the ICO has indicated that it "hopes to reduce the number of times people feel they need to contact us to make complaints", perhaps hinting that it is asked to get involved in too many cases.

It is worth noting that the DUAA introduces a new requirement for data controllers to put in place complaint-handling processes, acting as the first point of call. This shift is expected to help to reduce the resourcing burden currently faced by the ICO.

Looking Ahead

The report outlines the ICO's strategic objectives for 2025-2026, which centre around four key priorities:

  1. Safeguarding and empowering people: The ICO will continue to focus on protecting individuals, particularly those who are vulnerable, by upholding and advancing user rights.
  2. Responsible innovation and sustainable economic growth: The ICO will continue to develop regulatory guidance that supports responsible innovation and sustainable economic development. This includes reducing the cost of compliance, clarifying the steps organisations should take when issues arise, and providing support to facilitate investment and innovation.
  3. Openness and transparency: The ICO remains committed to promoting transparency and advancing best practice in the application of the FOIA and EIR.
  4. Developing the three C's: The ICO will drive progress in its "culture, capacity and capability" to ensure it remains an "impactful" regulator, capable of delivering effective services. This includes the development of an Enterprise Data Strategy, which will set out the ICO's vision and action plan for leveraging technology, including artificial intelligence, to enhance operational efficiency.

It is also worth noting that following the enactment of the DUAA, organisations can expect to see significant changes to the "governance and accountability structures" of the ICO. (For more information on the upcoming changes please see our article here).

Key Takeaways

  1. Review and Update Children's Privacy Measures
    • Ensure your platform complies with the Children's Code and audit any services likely to be accessed by children to ensure age-appropriate design.
  2. Strengthen Online Tracking and Cookie Compliance
    • In light of the changes by the DUAA, reassess cookie banners and consent mechanisms.
    • Monitor updates to ICO guidance on online tracking and implement changes promptly to avoid enforcement risk.
  3. Prepare for AI and Biometrics Regulation
    • Stay informed on the ICO's upcoming AI strategy and statutory code of practice.
    • If using AI, document how individual rights are protected and consider participating in regulatory sandbox initiatives.
  4. Leverage ICO Tools and Guidance
    • Make use of ICO resources to embed privacy by design.
    • Keep an eye out for new and updated guidance expected later this year.
  5. Engage with the DUAA Transition
    • Understand how the DUAA may impact your data governance practices.
    • Monitor developments as the ICO transitions to the Information Commission, which may bring changes in regulatory approach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Zahra Laher
Photo of Michael Charalambous
Michael Charalambous
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More