Analysis of ICO Enforcement Action January-June 2025

As a reminder and comparison, January-June 2024 saw a total of 29 instances of enforcement action (fines, reprimands and enforcement notices) taken against 22 organisations (including 7 police forces or other law enforcement agencies).  For a full breakdown and evaluation of these actions, read our blog on ICO Enforcement Action January – June 2024.

‍

‍

However, as demonstrated by the above graphic, there were only 15 occasions in the first half of 2025 on which the ICO took enforcement action, about half of the frequency we would expect compared to the same period last year.  Of the 6 public sector organisations enforced against, 2 were police forces – with one force, Greater Manchester Police, receiving 2 reprimands in the space of 6 months.  So, the Police were again overrepresented in the figures.

10 of the 15 actions were taken for breaches of the DPA and the UK GDPR.  These 10 actions represent a drop of around a third compared to the number of DPA and GDPR-related actions taken in the same period last year.

As with 2024, however, only organisations that committed PECR breaches received more than one action of enforcement against them for a single contravention.  Two companies received both a fine and an enforcement notice, interestingly for breaching the same part of the PECR – the part that deals with unsolicited marketing phone calls in contravention of the subscriber having opted out of such calls by registering with the Telephone Preference Service (TPS).  There have been no fines or other enforcement for infringements of the email marketing rules in Jan-Jun this year, which is usually the section of the PECR most commonly enforced by the ICO.

In the first half of this year, the regulator issued 6 fines, so again, down on what might have been expected from last year’s average.  Only one of these penalties was applied to a public (or quasi-public) body, a charity called Birthlink.  At £18,000, this penalty was relatively small.  The ICO departed from its usual policy of not fining public entities in this case, as the breach – the unnecessary destruction of thousands of adoption records, many of which were irreplaceable – was so avoidable and its effects so serious and permanent.

Aside from this outlier fine for Birthlink, it could be argued that the ‘public sector approach’ adopted by the ICO in 2022 seems to be working due to the marked reduction in enforcement activity generally, and the substantially lower number of public authorities receiving enforcement for breaches of DPA/UK GDPR, both in absolute terms and relative to the number of private organisations being punished for breaking privacy legislation.  URM will continue to monitor how these possibly important trends continue to develop throughout 2025.

The most substantial monetary penalties issued in the first half of 2025 have been the £3.07m and £2.31m fines imposed on UK company Advanced Computer Software Group Ltd and the US genealogy company 23andMe Inc., respectively, for their infringing of the UK GDPR’s security provisions, due to massive data losses following cyber attacks in 2022 and 2023.  Unlike last year, overall the fines for breach of the PECR have fallen far short of the total for UK GDPR violations (£140K as opposed to about £5.45m).

The following graphic summarises what breaches occurred for the fine to be imposed.  
‍

This demonstrates that, unlike in 2024, the majority of the ICO’s fines were directed at infringements of the UK GDPR, not at breaches of the PECR telemarketing rules.  Last year, the proportion of fines attributable to breaches of the UK GDPR formed one sixth of the total, whereas in 2025, this has risen sharply to two thirds – a possibly significant departure from what has previously been perceived as an overreliance by the regulator on fining for infractions of the PECR.  The 4 UK GDPR fines were the large ones imposed on the two companies mentioned above; a law firm, DPP Law, which was fined £60K (also for data loss due to a cyber attack); and the £18k Birthlink penalty already referred to.  
‍

‍

Of the 6 reprimands issued this year, all were to public sector bodies – meaning that, apart from the anomalous case of the charity Birthlink, the ICO seems to be sticking to its rationale for not fining public authorities (that such penalties have limited deterrent effect because it is ultimately the taxpayer who funds them), and issuing them with reprimands instead.  Of the 3 enforcement notices, all went to private companies, and all were in relation to PECR breaches which involved large numbers of telemarketing calls without the consent of the recipient, as mentioned.  The use of enforcement notices against public sector entities in relation to non-PECR breaches, noted last year, has not so far developed into a trend in 2025.

Due to the relatively low number of monetary penalties, and the effect of the 2 large fines for Advanced Software and 23andMe, the average fine in the UK so far in 2025 has risen from approximately £150K last year to around £933K.

Whereas in previous years there has been a relatively even split between fines under and over £100,000, in 2025 the majority (4) have been under that 100K figure, with only the 2 fines in the millions exceeding it.  So, this appears to strengthen the trend that began to emerge last year of the regulator fining not more prolifically, but proportionately more heavily.  In total, these 6 fines brought in almost £5.6m to the Treasury, which is already more than double the fine yield for the whole of 2024.

In our last blog on this topic, we discussed how in 2023 and 2024 the ICO contacted companies operating the UK’s 200 most visited websites regarding their use of cookies, expressing concern that these companies are not following its guidance on website design and are not providing users with adequate choice as to whether their activities are tracked for personalised marketing.  In January 2025, this national cookies compliance check was expanded to include the top 1,000 sites in the UK.  We have tracked what impact the regulator’s heightened vigilance on this matter has had in the first part of 2025 and it appears that the ICO’s verbal crackdown on cookies non-conformance has – so far – worked as intended.  Aside from the reprimand issued to Sky Betting and Gaming in 2024, there has been no enforcement of any kind taken by the data protection authority for this type of infringement in 2025.

URM will monitor all future ICO fines, reprimands and enforcement notices too – let’s see what the remainder of 2025 brings!