Grok, the Online Safety Act, and UK AI Regulation

GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy cover early year enforcement activity from the ICO, debate what “valid consent” really looks like in modern digital ecosystems, and explore the growing pressure on social media platforms to protect children online, including age assurance and content moderation.

Listen back on Spotify

Episode highlights

This session covers three big themes that many organisations are grappling with right now.

1) PECR enforcement is back on the agenda
We discuss recent ICO fines linked to unsolicited marketing activity and PECR compliance, including the practical lessons for opt-outs, consent language, and third-party data sources.

2) Third-party marketing lists and the “consent problem”
A key discussion point is what “informed” consent looks like when individuals are presented with long lists of third parties, and whether any approach is truly usable, granular, and easy to withdraw in practice.

3) Social media, under-16s, and age assurance
We explore the UK conversation about restricting under-16 access to social media, and the operational reality behind age verification, predictive age estimation, and the privacy and security risks that can come with them.

Key takeaways for organisations

• If your marketing activity relies on PECR, ensure opt-out routes are clear and effortless, and your lawful basis and consent language stand up to scrutiny.
• If you use third-party data, check what individuals were actually told, what they agreed to, and whether withdrawal can realistically be managed.
• If you operate services used by children or young people, start stress-testing your age assurance approach now, including supplier due diligence, security, and data minimisation.
• When new tech risks emerge, reactive fixes often fall short, governance and risk management need to be built in from day one.

Useful links

• Privacy notice
• Claim CPE credits
• Register for the podcast / join the community
• Listen on Spotify

Related from Data Protection People

• STAIRs event, 5 February, Leeds (limited tickets remaining)
• Upcoming session: DPIAs that actually protect people
• SARs content and events coming soon, plus an upcoming article on weaponising SARs and recent ICO guidance

About GDPR Radio

GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.

Speakers

Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People