ICO Guidance on Anonymisation and Children's Data - info for marketers

In April 2025, the Information Commissioner's Office (ICO) published updated guidance on two crucial areas for organisations handling personal data: anonymisation and the responsible use of children’s data. These updates form part of the ICO’s wider strategy to support innovation while maintaining public trust and legal compliance, especially in sectors such as digital marketing where data plays a pivotal role in personalisation, targeting, and analytics.

What’s New in the ICO Guidance?

The revised guidance on anonymisation and pseudonymisation expands on the ICO's earlier work and reflects the increasing complexity of modern data practices. It explains how organisations can process data in a way that protects individual identities, detailing the conditions under which information is considered “anonymised” and thus outside the scope of the UK GDPR.

A major focus is on the distinction between anonymisation and pseudonymisation. Anonymised data is stripped of all identifiers irreversibly, meaning the individual cannot be re-identified by any reasonably likely means. Pseudonymised data, by contrast, still qualifies as personal data under the GDPR, as re-identification is possible if additional information is available.

The ICO outlines recommended safeguards, including data minimisation, secure key management, access controls, and regular testing of anonymisation methods. It also provides examples of how anonymised datasets can be safely used for analytics, research, and innovation without infringing privacy rights.

In parallel, the ICO released an update urging organisations to improve how they handle children’s data, particularly in the financial services sector. The ICO reiterated the ongoing relevance of the Age Appropriate Design Code (or Children’s Code), highlighting how digital services must ensure that children’s rights and interests are prioritised. Key recommendations include age-appropriate privacy notices, minimisation of data collection, limits on profiling, and robust risk assessments when engaging with under-18 users.

Why Does This Matter to Marketers?

1. Clarity on Compliance Boundaries

Many marketers use aggregated or de-identified data to generate insights and inform campaigns. The new guidance helps clarify when such datasets can be considered genuinely anonymised – and when they remain subject to GDPR.

2. Reputational and Legal Risk Management

Inaccurate assumptions about anonymisation can expose businesses to enforcement risk. Marketers must work closely with data protection officers and analysts to ensure safeguards are in place and re-identification risks are mitigated.

3. Engagement with Younger Audiences

If a product or campaign could reasonably appeal to children, the marketing approach must comply with the Children’s Code. This includes limiting data collection, avoiding manipulative design patterns, and ensuring transparent messaging.

4. Enhancing Ethical Practice

Consumers increasingly expect brands to demonstrate transparency and respect for privacy. Strong anonymisation and a responsible approach to children’s data help build trust and long-term customer loyalty.

5. Using Data Strategically and Safely

Proper anonymisation techniques allow businesses to unlock insights from their data while staying within legal limits. This supports innovation without sacrificing compliance.

As data governance continues to evolve, this guidance provides a timely resource for marketing professionals seeking to future-proof their strategies, reduce risk, and embed ethical data use at the heart of their operations.

For further information, visit the ICO's guidance on [anonymisation and pseudonymisation](https://ico.org.uk/for-organisations/anonymisation/).