Data law | UK Regulatory Outlook February 2025

Updated Data Bill reaches House of Commons committee stage 

The Data (Use and Access) Bill has completed its passage through the House of Lords and had its first and second reading and entered the committee stage in the House of Commons. An updated version of the bill has been published following the Lords stage.  
 
Significant changes that the new bill now contains include: 

• A new clause 81. Section 25 of the UK General Data Protection Regulation (GDPR) on data protection by design will be amended to provide that services likely to be accessed by children must treat children's data more carefully.
• An amended clause 67. This amends the GDPR by inserting a definition of "scientific research" and providing that it should be interpreted widely, regardless of whether it is funded publicly or privately and whether it is for commercial or non-commercial purposes. The clause has now been amended to provide that for research to be "scientific research", it must be "conducted in the public interest".
• New clauses 135 to 139. These new clauses cover the use of "web crawlers" for content scraping, especially for AI purposes, and include provisions requiring, for example, compliance with UK copyright law (even if web scraping occurs abroad), disclosure of the web-crawlers used, and disclosure of the sources of data.
• New clause 141. This amends the Sexual Offences Act 2003 to make it an offence to create or solicit the creation of a purported intimate image of an adult. 

It remains to be seen as to how many of the current changes will survive in the Commons, with the government already indicating that it will attempt to reverse the change to clause 67. 

ICO issues guidance on 'consent or pay' advertising models 

The Information Commissioner's Office (ICO) has issued guidance on use of personal data as part of a "consent or pay" business model, following a public consultation on its draft proposals. The guidance indicates that it is possible to operate a consent or pay model compliantly, but that it is not straightforward to do so.  

The guidance focuses primarily on ensuring that consent is "freely given". It considers whether there is a clear power imbalance between user and service provider, such that a user cannot realistically choose not to use the service. This is a particular issue with existing users of a service, who may find it more difficult to change to another platform. Where there is a power imbalance, simply offering a binary choice between accepting personalised ads or paying a fee is unlikely to be compliant. Other options should be offered, such as receiving a free service with contextual (rather than personalised) ads. 

It also considers whether the fee level is appropriate for the benefit of using the services without personalised advertising. It is unlikely that people can freely give their consent if fees are so high as to make paying them an unrealistic option for some users. 

Core services are also considered and whether they are broadly equivalent for those who consent to use of their data for personalised advertising, versus those who pay. If they are not, it will be more difficult to show that the consent was freely given. 

It also considers whether the options are presented fairly, with clear information about what each option will involve. If they are not, or if the design of choices is engineered to push users towards a particular option, it is unlikely to be compliant. 

The guidance chimes with the views expressed by the European Data Protection Board (EDPB) in its pay or consent opinion of last year. 

Online tracking strategy published by ICO for 2025 

The online tracking survey sets out how the ICO plans to promote compliance with the law in 2025 to obtain a fairer online tracking ecosystem for both consumers and business. The ICO wants to make the UK's top 1,000 UK websites cookie compliant and to give people "meaningful control" over how they are tracked online.  

The ICO aims to achieve this by: 

• Encouraging publishers to move towards more privacy-preserving forms of online advertising, such as contextual ads.
• Using automated compliance monitoring of the 1,000 most popular websites in the UK.
• Consulting on guidance on data protection for Internet of Things devices.  
• Ensuring publishers follow its guidance on consent or pay models.  
• Ensuring publishers follow its final guidance on storage and access technologies and developing a certification scheme to show compliant processing.
• Investigating potential non-compliance of data management platforms.
• Publishing guidance for the public and raising awareness of data subject rights. 

ICO launches direct marketing advice generator 

The ICO has launched a free online tool to assist smaller organisations undertaking direct marketing activities to comply with the Privacy and Electronic Communication Regulations and UK GDPR. The tool covers email, SMS, direct mail, social media, telemarketing and more – and will bring all the relevant guidance the organisation needs into one place. 

English High Court case looks at consent 

The case of RTM v Bonne Terre Ltd and Hestview Ltd, involved allegations of breach of the GDPR and the tort of misuse of private information. The claimant, who described himself as a reformed problem gambler who used Sky Betting and Gaming betting platforms, alleged that direct marketing emails sent to him by the platform (and the extensive profiling behind them) had contributed to his harmful gambling behaviour.  

He claimed not to have validly consented to this processing – despite having clicked on "accept" or similar during the cookies consent process – and argued that the platform had processed his personal data for this purpose without a lawful basis. The judge agreed and analysed the concept of consent, stating that there are three elements to be considered: 

• Subjective state of mind of the data subject.
• Degree of autonomy associated with the consent mechanism.
• Standard of evidence to be met by the data controller. 

The judge considered that the impact of the claimant's gambling behaviour on his mental state was relevant and that, on the facts, his compulsive and addictive behaviour was such that his consent was not "freely given". It was also significant that the consent mechanisms did not provide adequate information and were not sufficiently separated from the process for accessing the online betting service. 

UK government increases data protection fees payable to ICO across all tiers 

In the autumn of 2024, the government consulted on proposed changes to the data protection fee regime to increase fees payable by data controllers to the ICO by 37.2%, as no increases have been made since 2018. (See this Regulatory Outlook.)  

The government has now published its response to the consultation, recognising the views expressed by some respondents that the ICO should be sufficiently resourced, as well as the views that more clarity is needed on how the increased fees will deliver value for money for data controllers and on how resources are allocated to improve the service provided by the ICO. 

Overall, the government has decided to introduce legislation to increase the data protection fees across all tiers by 29.8%; this is below the original proposal in recognition of the pressures faced by controllers as set out in the responses. 

It will also retain the existing three-tier structure, including the applicable criteria for determining fees payable, as well as the £5 discount applicable to direct debit payments across all tiers and the current exemptions from the requirement to pay a fee. 

European Data Protection Board consults on draft pseudonymisation guidelines 

The EDPB has published draft guidelines on pseudonymisation, which is defined in the EU GDPR as "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information." It is referred to in the GDPR as a potential safeguard that may be effective to fulfil certain data protection obligations. 

Pseudonymised data can still be attributed to an individual person through additional information. Therefore, it is still personal data, the processing of which needs to comply with the GDPR. However, pseudonymisation can assist in complying with the data minimisation principle, implementing data protection by design and by default, and ensuring an appropriate level of security.  

It is for controllers to decide whether to use pseudonymisation and when and how they use it. The guidelines are intended to help controllers decide which pseudonymisation techniques to use, how to protect pseudonymised data from unauthorised attribution to individuals through the use of additional information and how to manage user rights when processing pseudonymised data. 

The guidelines are open for consultation until 15 March 2025.