The Information Commissioner’s Office (ICO) has published its annual report for 2024-25.
The ICO commits to four “enduring strategic objectives”: safeguarding and empowering consumers, responsible innovation and sustainable economic growth, promoting openness, transparency and accountability, and being held to account for enforcing the legislation it oversees. The ICO oversees a wide variety of legislation including the Data Protection Act 2018 and the Investigatory Powers Act 2016.
Children’s privacy: Regarding children’s privacy, the ICO has supported changes from social media and video-sharing platforms to improve the ways in which they use children’s data. This includes ensuring that children’s accounts are high privacy by default, geolocation is not used in a manner which may put children at risk and that children are not targeted by personalised ads. The ICO has opened a number of investigations into how these platforms use children’s personal information, including one into TikTok’s use of children’s personal information in their recommender systems and investigations into Imgur and Reddit’s use of children’s personal information and age assurance.
Data Protection: the ICO received 42,315 data protection complaints in 2024/25, up from 39,721 in 2023/24, with the range of sectors they relate to remaining consistent with previous years. The ICO issued 36,196 outcome decisions offering advice and recommendations to improve information handling. The ICO concluded 43 GDPR investigation cases and 204 incidents, delivering 31 reprimand outcomes on 9 cases. These covered a range of areas including disclosures in error, inaccurate data and people’s rights. The ICO has addressed compliance with data protection law for the UK’s top 1,000 websites, and took regulatory action against Sky Betting for its use of cookies.
It issued two UK GDPR notices totalling £3,826,320. These were a penalty notice of £750,000 to the Police Service of Northern Ireland and a penalty notice of £3,076,320 following an agreement with Advanced Computer Software Group Limited. The ICO also delivered four prosecutions and three cautions, all for ‘unlawfully’ obtaining offences under data protection law. The ICO, with the Office of the Privacy Commissioner in Canada (OPC), opened an investigation into a data breach which happened at genetic testing company 23andMe and in March 2025 issued a notice of intent to fine 23andMe £4.59 million before fining the company £2.31 million in June 2025.
Cyber-related work: the ICO completed 15 investigations and managed 61 incidents. From 2024/25, it has served three reprimands, concerning failures to implement appropriate technical and organisational measures. The ICO also issued nine monetary notices totalling £890,000 and nine enforcement notices under the Privacy and Electronic Communications Regulations (PECR).
The ICO has also tackled unlawful marketing, fining two companies a total of £340,000 after they made a total of almost 1.43 million calls to people on the “do not call” register. These calls resulted in 76 complaints, with callers being described as aggressive and using high-pressure sales tactics.
Responding to the rise of generative AI, the ICO opened a consultation series and published a blog on outcomes for generative AI developers. These consultations focused on a number of areas, including how data protection applies to the development and use of generative AI and how generative AI models can provide factually inaccurate information leading to misinformation, reputational damage and other harms.
The ICO says that it has been engaged with the government throughout the parliamentary process of the Data (Use and Access) Bill brought forward by the new government and published an updated response to the bill in February 2025. The Act has now received Royal Assent and covers a wide range of areas including the establishment of an Information Commission and to regulate access, sharing, retention and processing of personal and business data.
