ICO enforcement themes 2024-2025: structural retrospective for sales leaders

What was visibly active 2024-2025

A structural read of the ICO's published activity through 2024 and 2025 reveals five themes that recurred frequently enough to be considered the regulator's focus areas. We summarise each here as the baseline against which 2026 monthly digests should be read.

Theme 1: cookie consent and consent management platforms

The ICO has been visibly active on cookie consent through 2024-2025. Published reviews of cookie banners on major UK websites identified persistent non-compliance: pre-checked non-essential cookies, dark patterns making "reject all" harder to find than "accept all", consent management platforms that do not implement the choices users actually make.

Sales-team implications: many UK B2B websites collect personal data through cookies for marketing and analytics. The publisher and the marketer are joint controllers in many configurations. The ICO has signalled willingness to act where compliance is poor; sales-leader oversight of marketing technology configuration is therefore part of the regulatory accountability surface.

Theme 2: PECR direct marketing enforcement

Privacy and Electronic Communications Regulations (PECR) enforcement against unsolicited marketing has continued at substantial volume through 2024-2025. The pattern: organisations sending unsolicited B2C marketing (texts, automated calls, emails to non-corporate addresses) without valid consent, often through third-party data sources of dubious provenance. MPNs at the £100k+ scale are common in this category.

Sales-team implications: B2B outbound to corporate email addresses is generally not subject to PECR consent requirements (with exceptions for sole traders and unincorporated partnerships in some configurations), but the operational discipline required to maintain that lawful basis (clean data sources, soft-opt-out where applicable, prompt unsubscribe handling) is real. Sales teams should not assume B2B exemption insulates them from PECR risk where their data sources or methods are questionable.

Theme 3: Children's Code adherence

The Children's Code (Age Appropriate Design Code) has moved from publication to enforcement focus over 2023-2025. ICO-published reviews have called out specific online services for non-adherence. The pattern: services likely to be accessed by children defaulting to data collection and profiling settings inappropriate for under-18s.

Sales-team implications: B2B vendors selling into education (covered in detail in our EdTech sector deep-dive) face direct procurement scrutiny. B2B vendors with consumer-adjacent reach (services used by both adults and children, services accessible without age verification) should expect rising attention.

Theme 4: subject access request response practice

Subject access request (SAR) handling has been a steady source of enforcement and Decision Notice activity through 2024-2025. The pattern: organisations failing to respond within the statutory month, providing inadequate or incomplete responses, or rejecting requests on improper grounds.

Sales-team implications: SAR readiness sits across data protection, IT, and operations rather than primarily sales, but sales operations data (CRM, contact databases, recorded calls, sales engagement platform data) is increasingly the substantive volume in many SARs. Sales-operations leaders should ensure SAR-readiness covers their stack.

Theme 5: large-scale data breach response

The ICO has acted on a small number of large-scale data breaches each year, with substantive penalties for organisations whose response was inadequate (slow notification, insufficient remediation, weak underlying controls). The pattern matters less for typical sales leaders than the four themes above, but the published reasoning in MPNs is useful reading for understanding what the regulator considers good versus inadequate response.

What this means for 2026

The themes visible through 2024-2025 are unlikely to be replaced wholesale through 2026. Sales leaders should expect continued attention on cookie consent, PECR direct marketing, Children's Code, and SAR response. New themes may emerge (the Data Use and Access Act 2025 implementation creates new enforcement surface; AI-related data processing is rising in regulatory attention); we will cover these as they become visible in the regulator's published record.