UK data protection law introduces mandatory complaint reporting requirements
Data controllers must now track and report complaint metrics to ICO under section 164B framework.
UK data protection compliance entered a new phase on July 10, 2025, when the Data (Use and Access) Act 2025 introduced section 164B, mandating controllers to notify the Information Commissioner's Office (ICO) about complaint volumes received under section 164A. According to the legislative framework, "The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations."
The amendment represents the most significant enhancement to UK data protection reporting obligations since the UK GDPR implementation. Controllers operating across sectors including marketing technology, advertising platforms, and e-commerce must now establish systematic complaint tracking mechanisms beyond simple response protocols.
Bird & Bird LLP prepared comprehensive Keeling Schedules documenting these changes. According to the firm's analysis published July 10, 2025, "controllers are now required to provide metrics about their responses to UK data protection requests." Ruth Boardman, co-head of Bird & Bird's Privacy & Data Protection Practice, noted that regulations may establish specific reporting periods and circumstances triggering notification requirements.
Subscribe the PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
Summary
Who: UK data controllers across all sectors, including marketing technology platforms, advertising networks, and e-commerce operations, must implement the new complaint reporting requirements under supervision from the Information Commissioner's Office.
What: Section 164B of the Data (Use and Access) Act 2025 mandates controllers to notify the ICO about complaint volumes received under section 164A, establishing systematic tracking and reporting obligations for data protection complaints beyond existing response requirements.
When: The legislation received Royal Assent on July 10, 2025, with implementation timelines to be established through secondary regulations within an estimated 18-month period, allowing for sector-specific rollout schedules.
Where: The requirements apply across England, Wales, Scotland, and Northern Ireland for all data processing activities subject to UK data protection legislation, affecting both domestic and international organizations processing UK personal data.
Why: The framework aims to enhance data protection enforcement through systematic monitoring of complaint patterns and response effectiveness, providing regulators with comprehensive oversight tools while ensuring individuals receive appropriate remedies for data protection violations.
Subscribe the PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
Technical implementation requirements
Section 164B grants the Secretary of State regulatory authority to determine notification mechanics. According to the statutory text, regulations may include "provision about a matter listed in subsection (4), or provision conferring power on the Commissioner to determine those matters." These matters encompass notification form and manner, timing parameters, and calculation methodologies for complaint volumes during specified periods.
The legislation establishes that controllers need only report during circumstances "specified in the regulations," indicating a threshold-based system rather than universal reporting. This approach mirrors enforcement patterns observed across European jurisdictions, where data protection authorities have demonstrated varying levels of enforcement activity.
Complaint handling framework
Section 164A establishes the foundation for the reporting system by codifying complaint procedures. Controllers must "facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means." The provision requires acknowledgment within 30 days and mandates controllers to "without undue delay take appropriate steps to respond to the complaint, and inform the complainant of the outcome of the complaint."
These requirements align with broader European trends emphasizing transparency in data protection compliance. Recent enforcement actions have highlighted the importance of clear communication with data subjects, as demonstrated by Spotify's €5.4 million penalty for transparency failures confirmed by Swedish courts in June 2025.
Enforcement implications
Section 149(5A) designates failure to comply with sections 164A or 164B as grounds for enforcement notices. According to the statutory language, "The fifth type of failure is where a controller has failed, or is failing, to comply with section 164A or with regulations under section 164B." This classification places complaint handling violations alongside fundamental data protection breaches such as UK GDPR principle violations and data subject rights infringements.
The enforcement framework indicates the government's intention to treat complaint transparency as a core compliance obligation rather than an administrative requirement. Marketing professionals operating programmatic advertising platforms and customer data platforms should anticipate ICO scrutiny of complaint response procedures alongside traditional data processing assessments.
Impact on marketing operations
Digital marketing operations face particular challenges implementing the new requirements. Programmatic advertising platforms processing millions of bid requests daily must now systematically track and categorize data protection complaints. Customer relationship management systems require updates to capture complaint metadata necessary for regulatory reporting.
The timing coincides with ongoing debates about consent mechanisms across European markets. Marketing technology vendors deploying "consent or pay" models may experience increased complaint volumes as privacy advocates challenge these practices through data protection channels.
Attribution modeling and audience segmentation technologies must also prepare for enhanced scrutiny. Recent developments in AI training data processing demonstrate courts' willingness to examine technical implementation details when assessing legitimate interests for data processing.
Regulatory precedents
The UK approach reflects broader European enforcement patterns emphasizing administrative compliance alongside substantive data protection requirements. German authorities have faced legal challenges over enforcement delays, highlighting the importance of systematic complaint processing procedures.
Swedish authorities demonstrated the financial consequences of inadequate transparency. According to court documentation, Spotify's violations centered on "failing to provide clear and easily accessible information necessary for registered users to exercise their rights under the regulation." The penalty calculation considered both violation severity and user impact scale.
Implementation timeline
The Data (Use and Access) Act received Royal Assent with provisions taking effect through staged implementation. Section 212 establishes that most provisions "come into force on such day as the Secretary of State may by regulations appoint." Transitional arrangements under sections 213 and Schedule 20 provide flexibility for organizations adapting existing compliance systems.
Controllers should anticipate regulations specifying reporting thresholds, calculation methodologies, and notification procedures within 18 months. The Secretary of State retains authority to establish different implementation dates for different regulatory aspects, potentially allowing sector-specific rollouts.
International coordination
UK authorities continue coordinating with European counterparts despite post-Brexit regulatory divergence. The European Data Protection Board's recent guidance on AI model privacy compliance indicates continued alignment on fundamental privacy principles even as specific requirements evolve differently.
Cross-border data transfer arrangements remain critical for multinational marketing operations. Controllers processing UK personal data from European Economic Area operations must navigate both UK complaint reporting requirements and European transparency obligations under GDPR Article 15.
Looking ahead
The complaint reporting framework signals broader UK intentions to enhance data protection enforcement through systematic monitoring rather than reactive investigation. Marketing professionals should prepare for increased regulatory visibility into complaint patterns and response effectiveness.
Future regulations may establish industry-specific thresholds reflecting sector complaint volumes and resolution complexity. Financial services and telecommunications sectors with established complaint handling procedures may face different requirements than emerging technology platforms with limited historical complaint data.
Timeline
- July 10, 2025: Data (Use and Access) Act 2025 receives Royal Assent, introducing section 164B complaint reporting requirements
- July 10, 2025: Bird & Bird publishes Keeling Schedules analyzing legislative changes and compliance implications
- March 2025: UK modernizes data protection framework with automated decision-making provisions
- December 2024: European Data Protection Board clarifies AI model privacy rules affecting UK operations
- August 2024: Privacy advocates file lawsuits challenging data protection authority enforcement practices