Home · Journal · GDPR & Outreach
GDPR & Outreach

ICO Enforcement 2024–2026: What We've Learned

Patterns from ICO enforcement actions over the last two years. What UK B2B founders should take seriously.

Albert Rosu · · 5 min read

The Information Commissioner’s Office (ICO) publishes its enforcement actions. Reading the pattern tells you what they take seriously. Over 2024–2026, UK B2B founders can learn a lot from who got warned, who got fined, and what they did.

The four recurring enforcement themes

1. Failure to honour opt-outs

The single most common breach. A company receives a PECR unsubscribe request, fails to process it in time (or at all), and continues emailing. ICO pattern: warning → enforcement notice → fine (typically £5K–£50K for repeat offenders).

Fix: automate opt-out. Treat unsubscribes as a one-click, irrevocable DB flag. Audit your stack monthly.

2. Treating sole traders as corporate subscribers

Next most common. A company assumes the PECR B2B exemption applies to “all businesses” and blasts emails at UK sole traders.

Fix: legal-entity verification before outreach. If you can’t verify Ltd/LLP, treat as consumer (consent required).

3. Scraping / purchased list use without lawful basis

The ICO has fined multiple companies for using scraped or purchased contact data without documentation of lawful basis. Typical fines: £20K–£200K depending on scale.

Fix: document the source for every contact in your CRM. If it was bought or scraped, retire it.

4. Missing sender identification

Companies Act 2006 §82 + PECR both require UK-registered companies to include name, registered address, and company number on commercial communications. Surprisingly often missed. Usually a warning rather than a fine, but a flag.

Fix: boilerplate email footer with company name, number, address. Easy.

What triggers an ICO investigation

Investigations rarely start because the ICO proactively audited a company. The common triggers:

  • Complaints from recipients. A single complaint rarely starts a full investigation, but a pattern does. The ICO publishes complaint-volume trends and revisits companies with rising complaint curves.
  • Journalist or researcher reports. Consumer-press coverage of a UK company’s marketing practices frequently appears in the subsequent enforcement note.
  • Referrals from other regulators. FCA, Ofcom, or the CMA sometimes flag data-handling issues that cross into the ICO’s remit.
  • Whistleblower reports from inside the company. A disaffected former marketing hire filing a report with the ICO is not rare. Protect your compliance posture internally as much as externally.
  • Mandatory breach notifications. If you suffer a data breach and notify under UK GDPR, the ICO will review — and will often spot secondary issues in your marketing practice during that review.

Any of these can open the door. Once the door is open, the ICO looks at the whole operation, not just the incident that prompted the inquiry.

The investigation process

If the ICO does come knocking, the typical sequence:

  1. Initial letter. A formal notice, usually 14 to 28 days to respond. Quality of first response matters a lot.
  2. Information notice. If the initial response is weak or the ICO wants more, a formal information notice compels specific document production.
  3. Assessment. ICO staff review submissions. Often a call. Sometimes a site visit.
  4. Preliminary view. Either “no further action”, “warning”, or “considering enforcement / monetary penalty”.
  5. Formal enforcement. Notice issued. Right to make representations before the final decision.
  6. Final decision. Published. Appealable to the First-tier Tribunal (Information Rights).

The single largest lever is the quality of the first response. A cooperative, documented, thoughtful reply frequently de-escalates the case. A defensive or missing reply escalates it.

What the ICO weighs when deciding to fine

  • Scale (how many people affected?)
  • Intent (deliberate vs negligent?)
  • Prior warnings (first offence or repeat?)
  • Cooperation (fix applied quickly?)
  • Documentation (lawful basis documented before the breach?)

A small company that accidentally breached but cooperated and fixed quickly typically gets a warning. A repeat offender with no documentation gets a fine.

Fine ranges by breach type

BreachTypical fine range
Ignored opt-outs£5K–£50K
Scraped list, first offence£20K–£80K
Scraped list, persistent£100K–£500K
Major data leak + marketing breach£1M+ (rare, but possible)

Most SMB-scale breaches don’t hit six figures. They do damage reputation (fines are published with company name).

Positive patterns

The ICO rewards:

  • Prompt cooperation (answer within 14 days of enquiry)
  • Clear documentation of lawful-basis analysis
  • Evidence of policy + training internally
  • Voluntary self-disclosure of mistakes

Recent enforcement patterns worth noting

Without naming specific companies, several clear enforcement patterns have emerged in 2024–2026 UK ICO activity:

  • B2B cold-email operators using shared sender pools. Pool-based sending makes opt-out coordination hard. Several fines in this cluster have been in the £20K–£80K range.
  • Recruitment-adjacent marketing. Firms marketing to candidates who had applied for unrelated roles, treating application forms as implicit consent for downstream marketing. Consistent warnings and some fines.
  • Scraped LinkedIn data in B2B CRMs. The ICO has increased attention on scraped-profile data, especially when combined with automated outreach.
  • Weak privacy policies on lead-gen landing pages. Several enforcement notices targeted the privacy policy itself as insufficient — missing information about retention, sub-processors, or data-subject rights.
  • Sole-trader confusion at scale. Multiple enforcement notices on campaigns that treated “business-looking” email addresses as corporate subscribers without verification.

The common thread: pattern-at-scale breaches rather than one-off mistakes. Small, cooperative, documented operators rarely end up on the register.

What this means for UK founders

  1. Don’t scrape. Don’t buy lists.
  2. Treat sole traders as consumers for PECR purposes.
  3. Automate opt-out processing.
  4. Document your lawful basis before you send the first email.
  5. Cooperate fast if the ICO contacts you.

The bar is lower than the LinkedIn discourse suggests — but documentation is non-negotiable.

Reading the register

All ICO enforcement actions are public at ico.org.uk/action-weve-taken/enforcement. Worth reviewing quarterly if you run marketing.

Not legal advice.