Break free from OneTrust and get 12 months FREE
Get the offer
Back to main menu

Profiling for trust and safety: Meeting the ICO’s expectations

Posted: September 12, 2025

The UK Information Commissioner’s Office (ICO) has released guidance about meeting data protection obligations when using profiling tools for trust and safety purposes. 

The guidance highlights a tension between two important types of duty: Keeping users safe from harmful and illegal content and protecting personal data and privacy. 

Here’s an outline of the ICO’s guidance, which is particularly important for services impacted by the Online Safety Act (OSA). 

Jump to:

  1. What is the ICO’s guidance about?
  2. What is the Online Safety Act?
  3. What is profiling under the UK GDPR and the OSA?
  4. Why would a company need to conduct profiling under the OSA?
  5. What is the best legal basis for profiling under the OSA?
  6. Do I need consent under PECR for profiling under the OSA?
  7. What are some other important data protection implications?

 

What is the ICO’s guidance about?

This ICO’s guidance explains data protection and privacy rules that organizations must follow when using profiling tools for trust and safety purposes.  

It is primarily aimed at online services that need to comply with the Online Safety Act 2023 (OSA), but its principles apply to any organization using profiling to keep users safe.  

The document explains how to comply with the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) when deploying these technologies. 

The guidance covers:  

  • What constitutes a profiling tool 
  • The types of personal data profiling tools typically process 
  • How profiling tools are used to make moderation decisions  

The guidance does not cover: 

  • Profiling for personalizing user experiences or targeting ads 
  • The specific technical aspects of training AI models 
  • Profiling used purely for age estimation purposes. 

 

What is the Online Safety Act?

The OSA is a UK law establishing a new regulatory framework for certain online services. Its main goal is to improve user safety and increase the accountability of tech companies for the content shared on their platforms.  

The OSA imposes a range of legal duties on providers of “user-to-user services” and “search services” to assess and manage the risks of harm to their UK users. 

These duties require services to take “proportionate measures” to tackle illegal content, such as terrorism or child sexual abuse material. They must also have systems in place to swiftly remove such content once they become aware of it.  

The OSA is enforced by Ofcom, which creates codes and guidance under the law. 

 

What is profiling under the UK GDPR and the OSA?

The ICO’s guidance distinguishes between the definitions of profiling under the UK GDPR and the OSA.  

  • Under Article 4(4) of the UK GDPR, profiling means “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person….  
  • The OSA does not define or use the term ‘profiling’ in the same way as the UK GDPR, but instead refers to types of “proactive technology”, which include “user profiling technology” and ‘behavior identification technology”. 

Despite these differences, the ICO expects that technologies as defined in the OSA will almost always involve “profiling” as defined in the UK GDPR.  

This means that any service using these OSA-related technologies to fulfil its safety duties must also comply with the UK GDPR. 

 

Why would a company need to conduct profiling under the OSA?

OSA-covered services must implement “proportionate systems and processes” to mitigate risks and prevent harm.  

Profiling is one of the tools a service might choose to deploy to meet this legal obligation effectively. For instance, analyzing user behavior patterns can help detect grooming, scamming, or the creation of inauthentic bot accounts, which helps a service fulfil its duty to protect users. 

In practice, profiling is likely to be the most appropriate way for many companies to meet their OSA duties. Ofcom’s codes specifically recommend certain types of profiling technologies, and an organization would need a very strong incentive to go against Ofcom’s recommendations. 

 

What is the best legal basis for profiling under the OSA?

The ICO’s guidance identifies two main lawful bases under the UK GDPR for OSA compliance:  

  • “Legal obligation”: May be appropriate to comply with the statutory duties set out in the OSA if the service can show that the profiling activity is necessary and proportionate to meet those duties. 
  • Legitimate interests”: If the service cannot rely on “legal obligation” and can demonstrate a legitimate interest in protecting its users from harm. 

Other legal bases, such as “contract” and “consent”, will generally not be appropriate for profiling under the OSA—though note the UK GDPR’s interaction with the Privacy and Electronic Communications Regulations 2003 (PECR), explained below. 

 

Do I need consent under PECR for profiling under the OSA?

PECR generally requires consent to store or access information on a user’s device. Whether you need consent under PECR depends partly on how your profiling tool operates.  

If your profiling tool involves server-side processing or some other means of avoiding contact with the user’s device, PECR does not apply. 

Even if PECR applies, the guidance explains that PECR’s so-called “strictly necessary exemption” can apply if using the technology is the “only reasonable and proportionate way to comply with your OSA duties.” In this specific scenario, you would not need to get consent. 

 

What are some other important data protection implications?

The full range of relevant UK GDPR obligations applies whenever you process personal data. In particular, the ICO emphasizes that: 

  • You must conduct a data protection impact assessment (DPIA) before starting, as profiling is a high-risk activity. 
  • If your tools make solely automated decisions that have a significant effect on users, you must meet extra rules under Article 22 UK GDPR. 
  • You must comply with the UK GDPR’s principles, such as “data minimization” and “purpose limitation”. 
  • You must take special care with children’s data. 
  • You must respect and facilitate people’s data protection rights. 

Careful consideration of data protection law can help you meet the UK’s evolving digital regulatory requirements in a way that maintains users’ trust. 

The ROI of privacy programs

Download guide
Data privacy metrics How to measure the ROI of privacy programs

You might also like to read:

ICO

An opportunity to raise awareness: Key lessons from the ICO’s 2025 data controller report

An opportunity to raise awareness: Key lessons from the ICO’s 2025 data controller report

The ICO has published its Data Controller Report 2025 UK organizations' attitudes, awareness, and challenges when it comes to data protection.

Read more
data-use-and-access

UK Data (Use and Access) Act: The first provisions take effect

UK Data (Use and Access) Act: The first provisions take effect

On 20 August 2025, the first provisions for the UK Data (Use and Access) Act took effect, with a focus on areas like AI and online safety. 

Learn more