Data law | UK Regulatory Outlook June 2026

UK updates 

ICO publishes its final guidance for consumer IoT products and services 

The Information Commissioner's Office (ICO) has published its final guidance for consumer Internet of Things (IoT) products and services following consultation. It is aimed at organisations that process personal information in connection with IoT products, such as smart speakers, connected TVs and toys, fitness trackers and smart watches, smart security cameras and baby monitors. It explains how data protection law and the Privacy and Electronic Communications Regulations 2003 apply to the processing of personal information in consumer IoT products. The guidance also applies to user devices (such as mobile phones and tablets) on which software or apps are installed that enable, configure or control the functionality of an IoT product.  

The ICO states that it is now turning its attention to connected TVs, and will be "engaging with connected TV manufacturers this year to assess whether they are complying with the law and offering consumers meaningful choice over how their data is used". 

New data protection complaints requirements under DUA Act now in force 

The new data protection complaints requirements for controllers under the Data (Use and Access) Act 2025 came into effect on 19 June 2026. Controllers must now have mechanisms in place to provide data subjects with a way of making data protection complaints to them and acknowledge receipt of complaints within 30 days. They must also, without undue delay, both take appropriate steps to respond to complaints, including making appropriate enquiries and keeping complainants informed, and inform them of the outcome of their complaints.  

The ICO published guidance on this requirement in February. For many organisations, the new duty required relatively little additional action to achieve compliance. However, there are some practical steps that controllers should have taken to comply. See this Insight for more information.  

ICO responds to government on AI innovation plan 

The ICO has published a response to the government, which asked it to publish a plan for enabling safe AI-powered innovation. The ICO has set out the progress it is making on its AI and biometrics strategy and has stated that it is developing an updated AI workplan for 2026/27. It will be focused on two overarching objectives: ensuring the public understands and has control over how AI systems process their personal data, and providing regulatory clarity to organisations deploying AI systems, including agentic systems. 

Planned actions include: 

• Developing an AI and automated decision-making (ADM) statutory code of practice. The ICO's consultation on its updated guidance on ADM, including profiling, closed on 29 May 2026. The guidance is intended to inform parts of the ICO's code of practice (see this Regulatory Outlook for background). 
• Publishing dedicated guidance on agentic AI and UK GDPR to ensure organisations developing and deploying agentic AI tools and systems understand their data protection obligations. 
• Producing public-facing resources to help individuals take informed decisions about the use of their personal data by online AI tools and services. 
• Supporting organisations, in particular small and medium-sized enterprises (SMEs) and public bodies, with data protection due diligence for cloud-based AI tools and services. 
• Streamlining the ICO's innovation and sandbox services. 
• Addressing public concerns regarding the increasing personalisation of consumer-facing AI services and working with major tech companies to ensure that their products meet their customers' expectations in a transparent and privacy-focused way. 

The ICO will also continue to support the government's development of AI Growth Labs. 

ICO responds to government's proposal for a social media ban for under-16s 

The government has announced a package of measures that it says will better protect children online, including an Australian-style ban on social media for under-16s. Although the announcement refers to a "social media" ban, the proposal is in fact much wider and will affect other product features and businesses. The government says that it will "go further than a blanket ban on social media with world-leading blocks on harmful functions such as livestreaming and stranger communication with children for under-16s. These restrictions – which together with the ban go further than any other country – will apply to a wider range of online services." Read more in this Insight. 

In response to the announcement, the ICO has highlighted that it is already taking steps under data protection law to ensure that social media platforms prevent underage users from accessing their services. Where a platform sets a minimum age (currently 13 for most major platforms, as set in their own terms), it must ensure that children below that age cannot access those services. The ICO can take formal enforcement action against services that fail to enforce their own age restrictions, as demonstrated by its recent fine against Reddit.  

Additionally, in March 2026, the ICO and Ofcom published a joint statement on age assurance, setting out what online services need to do to meet their obligations under both the Online Safety Act 2023 and UK data protection law simultaneously. See this Regulatory Outlook for more information.  

EU updates 

EU co-legislators agree to extend GDPR record-keeping exemptions to small mid-cap companies 

In May 2025, the European Commission published its "Omnibus IV" simplification package, which proposed, among other things, to introduce a new category of "small mid-cap companies" (SMCs) and extend to them certain exemptions currently available to SMEs. See this Regulatory Outlook for background. 

The European Parliament and the Council of the EU have now reached a provisional agreement on the proposal. Under the provisional agreement, the new SMC category, companies that have outgrown the SME definition, is defined as enterprises with fewer than 1,000 employees and either up to €200 million in turnover or up to €172 million in total assets (the Commission had originally proposed thresholds of 750 employees, €150 million in turnover and €129 million in total assets).  

The agreement envisages, among other things, extending to SMCs the exemption from certain record-keeping obligations under the EU GDPR where the processing is not likely to result in a high risk to the data subject's rights. 

The provisional agreement needs to be formally adopted by the Parliament and the Council. The co-legislators also extended the transposition deadline for the directive to 24 months. 

EDPB consults on template for personal data breach notification 

The European Data Protection Board (EDPB) has adopted a common data breach notification template with the aim of making "GDPR compliance easier and strengthen consistency across Europe". The template provides predefined options to choose from and further guidance on how to fill in the fields. 

The template is subject to a consultation which closes on 5 August 2026. Following the consultation process, the EDPB will decide on the timeline for the practical implementation of the template by all data protection authorities.