InsightOther/ 3 September 2026/ 3 min read
A structural read of publicly visible ICO enforcement themes through 2024 and 2025: cookie consent and consent management platform compliance, PECR direct marketing and unsolicited contact, Children's Code adherence by online services, subject access request response timeliness, large-scale data breach response. Sales-leader implications for each theme.
A structural read of the ICO's published activity through 2024 and 2025 reveals five themes that recurred frequently enough to be considered the regulator's focus areas. We summarise each here as the baseline against which 2026 monthly digests should be read.
The ICO has been visibly active on cookie consent through 2024-2025. Published reviews of cookie banners on major UK websites identified persistent non-compliance: pre-checked non-essential cookies, dark patterns making "reject all" harder to find than "accept all", consent management platforms that do not implement the choices users actually make.
Sales-team implications: many UK B2B websites collect personal data through cookies for marketing and analytics. The publisher and the marketer are joint controllers in many configurations. The ICO has signalled willingness to act where compliance is poor; sales-leader oversight of marketing technology configuration is therefore part of the regulatory accountability surface.
Privacy and Electronic Communications Regulations (PECR) enforcement against unsolicited marketing has continued at substantial volume through 2024-2025. The pattern: organisations sending unsolicited B2C marketing (texts, automated calls, emails to non-corporate addresses) without valid consent, often through third-party data sources of dubious provenance. MPNs at the £100k+ scale are common in this category.
Sales-team implications: B2B outbound to corporate email addresses is generally not subject to PECR consent requirements (with exceptions for sole traders and unincorporated partnerships in some configurations), but the operational discipline required to maintain that lawful basis (clean data sources, soft-opt-out where applicable, prompt unsubscribe handling) is real. Sales teams should not assume B2B exemption insulates them from PECR risk where their data sources or methods are questionable.
The Children's Code (Age Appropriate Design Code) has moved from publication to enforcement focus over 2023-2025. ICO-published reviews have called out specific online services for non-adherence. The pattern: services likely to be accessed by children defaulting to data collection and profiling settings inappropriate for under-18s.
Sales-team implications: B2B vendors selling into education (covered in detail in our EdTech sector deep-dive) face direct procurement scrutiny. B2B vendors with consumer-adjacent reach (services used by both adults and children, services accessible without age verification) should expect rising attention.
Subject access request (SAR) handling has been a steady source of enforcement and Decision Notice activity through 2024-2025. The pattern: organisations failing to respond within the statutory month, providing inadequate or incomplete responses, or rejecting requests on improper grounds.
Signal
AI tooling has begun to reshape how UK B2B sellers practise the methodologies they have been trained on. Specific patterns: AI-augmented MEDDPICC scoring against deal data, AI-driven discovery question suggestions, AI-summarised call analysis against methodology checkpoints, AI-generated business cases and value framing. The methodologies themselves are largely unchanged; the practice of them is being rebuilt around AI augmentation.
Explained
There is no universally best sales methodology. The right choice depends on segment, deal size, cycle length, buyer sophistication, team experience, and existing infrastructure. A practitioner walkthrough of the choice criteria, with honest assessment of where each major methodology fits.
Explained
GAP Selling (Keenan, 2018) is a problem-centric sales methodology that emphasises deep discovery of the gap between the buyer's current state and desired future state. The methodology pushes hard against feature-led pitching: the seller must understand the buyer's situation more thoroughly than competing methodologies typically demand. Adopted by a meaningful share of UK B2B SaaS sales teams since 2020.
Sales-team implications: SAR readiness sits across data protection, IT, and operations rather than primarily sales, but sales operations data (CRM, contact databases, recorded calls, sales engagement platform data) is increasingly the substantive volume in many SARs. Sales-operations leaders should ensure SAR-readiness covers their stack.
The ICO has acted on a small number of large-scale data breaches each year, with substantive penalties for organisations whose response was inadequate (slow notification, insufficient remediation, weak underlying controls). The pattern matters less for typical sales leaders than the four themes above, but the published reasoning in MPNs is useful reading for understanding what the regulator considers good versus inadequate response.
The themes visible through 2024-2025 are unlikely to be replaced wholesale through 2026. Sales leaders should expect continued attention on cookie consent, PECR direct marketing, Children's Code, and SAR response. New themes may emerge (the Data Use and Access Act 2025 implementation creates new enforcement surface; AI-related data processing is rising in regulatory attention); we will cover these as they become visible in the regulator's published record.