The ICO’s Annual Report 2024/25: Key Insights

The Information Commissioner’s Office (ICO) has published its annual report for 2024/2025. In this article, we explore the key themes and strategic priorities outlined in the report, offering practical insights for organisations looking to strengthen their data protection practices and align with the ICO's regulatory direction. 

Key Strategic Causes

The ICO has identified three key strategic priorities: online tracking, children’s privacy, and AI and biometrics. The annual report sets out how each of these areas has been prioritised over the past year and outlines plans to maintain focus on them in the upcoming year. 

Online Tracking 

Over the past year, the ICO has been actively implementing its online tracking strategy, focussing on compliance with data protection laws among the UK’s top 1,000 websites and in one case issuing a reprimand for the misuse of cookies. This reprimand was issued for advertising cookies being placed before users had the option to accept or reject the cookies. The ICO’s report highlights that they ultimately contacted 93 organisations about website cookies with the “aim of proactively driving compliance”.

In light of the ICO’s recent approach, it is crucial for companies to prioritise compliance with data protection law and the ICO’s guidance on cookie banners. Key pitfalls to avoid include: 

• placing cookies before users have provided their consent, or even if the user did not consent to them; and 
• users being unable to reject non-essential advertising cookies as easily as they can accept them. (In other words, companies need to offer ‘reject all’ and ‘accept all’ options on the first layer of their cookie banner.) 

It is likely that the ICO will continue in its efforts to bring more websites into compliance, so it is advisable for companies to get ahead of the curve. 

Children’s Privacy 

According to the report, the ICO has secured a number of changes from social media and video-sharing platforms over the past year to improve the ways in which children’s data is used, ensuring that:

• children’s profiles are high privacy by default;
• geolocation data is not used in ways that might put children at risk; and 
• children are not targeted with personalised adverts. 

This continues to be a key priority for the ICO, which initiated investigations into how platforms use children’s data in March this year. 

Looking ahead, the ICO’s number one objective for the upcoming year is safeguarding and empowering those most at risk. For companies handling children’s data, this means in the first instance ensuring compliance with the ICO’s Children’s code.

Artificial Intelligence and Biometrics

In the report, the ICO indicates that its primary focus with regards to AI and biometrics is on ensuring regulatory certainty by providing clear guidance and supporting responsible innovation all while ensuring compliance with data protection laws to build public trust and prevent harm. 

Over the past year, the ICO has:

• published guidance on individuals’ rights in relation to AI;
• carried out a public consultation on generative AI;
• encouraged organisations to engage with its Regulatory Sandbox to test innovative products and services in a controlled environment. 

Looking ahead, the ICO plans to expand on this with an AI code of practice, so it is worth keeping up to date with the latest ICO guidance and updates.

Notably, the report references a proposal currently with government to allow “businesses a time-limited derogation from regulatory requirements to test their new ideas, particularly in the use of AI.” This raises a critical question: Does this apply only to businesses? What about public research bodies or academic institutions?

Enforcement Action 

In the past year, the ICO has issued fines amounting to £4.4 million in total for breaches of data protection law, a notable drop from £15.6 million in 2023/24. The most substantial fines were issued for data security breaches where personal data has been exposed due to a combination of error and inadequate procedures, or security failings leading to ransomware attacks. 

The ICO received 12,412 personal data breach reports - but only 3% led to an investigation. The majority of breaches reported - 85% - were resolved through ‘informal action’ such as offering advice to help organisations manage the incident and prevent repeat occurrences.

Notably, the health, education, and childcare sectors remained the most frequent reporters of breaches - likely reflecting both the sensitivity of the data they handle and their reporting cultures.

The ICO continues to adopt a risk-based, proportionate approach to enforcement, reserving formal action for only the most serious or systemic failings.

Data Use (and Access) Act 

Having received Royal Assent on 19 June, the Data Use (and Access) Act is coming into force over the next year in phases. In readiness for its rollout, the ICO has issued initial guidance on the new Act and plans to provide more detailed guidance as implementation progresses.

For more information on the implementation timeline and steps you should be taking at each stage, please refer to our latest article.

ICO Performance

The report also includes a snapshot of the ICO’s operational performance. Of the 22 key performance indicators (KPIs) tracked, performance was down on the previous year in 11 areas, while 5 showed improvement and 6 remained static. This mixed outcome may suggest that the ICO is in a period of transition, balancing its enforcement role with a growing emphasis on guidance, innovation, and proportionate regulation. It may also reflect the complexity of the regulatory environment and rapid developments in the data, cyber and AI space.

Technical Innovation 

As part of the ICO’s Enterprise Data Strategy, which sets out the action plan for the ICO using its own data, the ICO has invested in new technologies and the automation of manual processes including trialling AI virtual assistants to boost efficiency. One of the ICO’s four key objectives for the upcoming year is to further develop its capability and capacity to regulate effectively through these innovations. 

It will be interesting to see whether these investments bolster the regulator’s ability to take effective regulatory action and result in an increase in investigations and enforcement action.

Conclusion: Staying Ahead of the Curve

The ICO’s 2024/25 Annual Report offers valuable insight into the regulator’s evolving priorities and operational focus. With strategic attention on online tracking, children’s privacy, and AI, organisations have a clear roadmap for where to direct their compliance efforts in the coming year.

The report also reflects the ICO’s continued emphasis on proportionate, risk-based regulation. While formal enforcement activity has decreased - evidenced by a reduction in total fines and a relatively small proportion of breach reports leading to investigations - this appears to align with a broader strategy of encouraging voluntary compliance and supporting organisations through guidance and informal action.

Actions points

To stay ahead of the curve, organisations should:

• Ensure your cookie banners and notices comply with current law and ICO guidance. Consider whether updates are needed in light of the more flexible consent rules being introduced under the Data Use (and Access) Act (DUAA).
• If your services are likely to be accessed by under-18s, review your policies and practices to ensure alignment with the ICO’s Children’s Code.
• Stay up to date with the ICO’s evolving position on AI, including upcoming guidance and the proposed AI code of practice. Consider using the Regulatory Sandbox to test innovative tools in a compliant environment.
• Monitor the phased implementation of the DUAA and forthcoming guidance, expected on AI and adtech, to ensure timely compliance.

For advice on data protection law, please contact Martin Cook, Madelin Sinclair McAusland, Amanda Leiu, Justin Barrow or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Emily Fox and Amanda Leiu.