Privacy & Information Security Law Blog

On July 30, 2025, the UK Information Commissioner’s Office (“ICO”) launched a consultation seeking feedback on its draft guidance concerning the use of profiling tools for online safety (the “Guidance”). The Guidance aims to assist organizations with their compliance with the UK Online Safety Act 2023 (“OSA”), the UK General Data Protection Regulation (the “UK GDPR”), and the UK Privacy and Electronic Communications Regulations 2003 (“PECR”), outlining the data protection and privacy considerations organizations should take into account when utilizing profiling tools in trust and safety systems.

The Guidance is divided into different sections, highlighting several critical issues that organizations should consider, such as:

• PECR adherence: Profiling tools using storage and access technologies on user devices must comply with PECR, requiring prior consent in accordance with the standard of consent required by UK GDPR, unless exemptions apply.
• Lawful basis for processing: Profiling activities must have a lawful basis under the UK GDPR, such as consent or legitimate interests, and must comply with any additional conditions for processing special category or criminal offense data.
• Transparency: Clear information must be provided to users about how their data is being used in profiling processes. The Guidance recommends that organizations should regularly review their profiling tools to minimize the risk of unfair outcomes for users.
• Data minimization: Organizations must define clear, specific purposes for collecting and processing data with profiling tools, ensuring only data that is necessary for such purposes is used.
• Accuracy: Organizations should ensure profiling tools process accurate, up-to-date information, and allow users to challenge inaccuracies. As many profiling tools will likely utilize AI and automation, organizations should distinguish predictive outcomes from factual data and ensure they balance statistical accuracy with fairness, considering measures such as precision and recall, and the risks to users of each.
• Retention: Profiling tools must not keep personal information longer than necessary. Organizations must establish retention periods and erase or anonymize personal information when it is no longer needed.
• Automated decision-making: Organizations must identify if profiling tools make solely automated decisions with legal or similarly significant effects and ensure compliance with Article 22 of the UK GDPR by, for example, mapping workflows, providing transparency, and implementing safeguards such as human intervention.

Organizations have until October 31, 2025, to provide the ICO with feedback on the Guidance.