Article / 19 Jan 2026

From bigger fines to cookie compliance: 2025’s top 5 trends in privacy and data protection

Insight shared by:

Gateley Legal

2025 was an eventful year for legal and market developments concerning privacy and data protection. High profile data breaches saw several major UK businesses lose millions in revenue. The Information Commissioner’s Office (ICO) reaffirmed its stance on cookie compliance and employee monitoring, and showed that it is not afraid to levy significant fines against offenders.

New legislation brings with it a chance to balance innovation with compliance, but also a risk of significantly greater financial penalties for those that fail to meet their obligations on the compliance side. Here, Harvey Pare and Lucy Collins examine five key developments in privacy and data protection from 2025, and what they mean for businesses in 2026.

1. Data Use and Access Act 

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent in 2025 and introduced changes to the UK’s data protection regime aimed at making the rules simpler, encouraging innovation, helping law enforcement agencies tackle crime, and allowing responsible data-sharing whilst maintaining high data protection standards. Some of the key changes introduced were:

  • A new lawful basis of ‘recognised legitimate interests’, which removes the need to balance the legitimate interest against the impact on individual rights.
  • Removal of the requirement to obtain consent for cookies or other similar technologies that are used for: (i) statistical purposes to improve the relevant service or website; (ii) customising or enhancing a website’s appearance or functionality; or (iii) providing emergency assistance. 
  • Increasing the maximum fine for breaches of direct marketing rules under the Privacy and Electronic Communications Regulations 2003 from £500,000 to the higher of £17.5m or 4% of total annual worldwide turnover in the preceding financial year (therefore bringing the fine into line with UK General Data Protection Regulation (UK GDPR)).
  • A new requirement for controllers to enable individuals to make complaints about breaches of data protection law, such as by providing a complaint form that can be completed electronically. 

Please note there is a staged introduction for these changes, with initial provisions coming into effect on 20 August 2025 and the final phases being implemented during 2026. 

You can read more about the DUAA here.

2. Heavy fines from the Information Commissioner’s Office (ICO)

2025 saw a shift towards heavier fines from the ICO for breaches of data protection law, evidencing the ICO’s continuing commitment to data protection compliance.

In 2025, the ICO issued fines totalling over £20m, with the largest single fine of 2025 being £14m issued in relation to a data breach affecting over six million people. The level of these fines signifies a trend towards larger penalties targeting systemic failures, particularly where sensitive data have been put at risk, underlining the need for robust protection of high-risk information. Furthermore, two-thirds of fines in 2025 related to security violations, reflecting heightened scrutiny of cyber reliance and data breach responses.

3. ICO action on cookie compliance

The ICO launched a robust cookie compliance crackdown in 2025, signalling a shift in how it enforces the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK GDPR.

As part of a consultation that sought to identify new, commercially viable advertising models that can both support innovations to improve consumer privacy and boost economic growth, the ICO reviewed cookie usage on the UK’s top 1,000 websites. In particular, it assessed whether people have meaningful control over how their personal information is tracked and used online, noting key compliance failings such as placing non-essential cookies before consent, using ‘dark patterns’ to make rejecting cookies harder than accepting them, and continuing to track users after consent was refused.

In December, the ICO announced that its action on cookie compliance meant that over 95% of the top 1,000 websites reviewed now meet the ICO’s cookie compliance tests, giving an estimated 40m UK internet users greater control over how they are tracked for personalised advertising. 

You can listen to our dedicated cookie crackdown Talking Data Protection episode here.

Read more about ICO action on cookie compliance here.

4. Increased use of artificial intelligence (AI)

The rapid integration of AI tools in 2025 has been widely promoted as a way to boost efficiency, particularly in the workplace. Alongside these benefits, however, come significant data protection challenges that organisations should not ignore.

AI-powered tools such as notetakers and meeting recorders can streamline processes by eliminating the need for manual notetaking and creating detailed action points, improving productivity and accessibility. While embracing innovation is essential for competitiveness, the blanket adoption of these technologies may expose employers to risks, including unlawful processing of personal data and a lack of transparency around how information is captured and used.

To mitigate these risks, organisations should ensure a lawful basis for processing, maintain meaningful human oversight over automated processes and decisions, and implement clear training, policies and procedures governing AI use. Robust governance is key to balancing innovation with compliance. 

You can listen to our Talking Data Protection episode discussing the risks of AI notetakers here.

5. Employee monitoring

Employee monitoring is increasingly common as organisations seek to manage productivity and security in hybrid workplaces. This trend has gained further significance with the introduction of the ‘Failure to Prevent Fraud Offence’ (under the Economic Crime and Corporate Transparency Act (ECCTA)), which became effective from 1 September 2025. Under this offence, organisations face criminal liability if employees or associated persons commit fraud for the organisation’s benefit, unless “reasonable prevention procedures” are in place. One of the principles under ECCTA is monitoring and review, meaning active oversight of employee activity could appear to help demonstrate compliance.

While monitoring can identify red flags and strengthen fraud prevention, the use of tools that track employee activity and communications raises serious privacy concerns. In 2025, the ICO reaffirmed that monitoring must be fair, transparent, and proportionate, avoiding unnecessary intrusion into employees’ private lives. Hidden or excessive surveillance risks breaching data protection principles and damaging trust - particularly in home working settings where individuals have a greater expectation of privacy.

You can listen to our dedicated Talking Data Protection episode on ECCTA and employee monitoring here.

Read more about whether monitoring is appropriate in your organisation here.

Get in touch

Given the ever-increasing risk of data breaches and greater regulatory scrutiny, it is more important than ever that businesses review their approaches to data protection from the inside out. To discuss your requirements concerning any of the issues above in more detail, please contact a member of our specialist data protection team.