At a glance
- The UK Data (Use and Access) Act 2025 (DUAA) became law on June 19, 2025, with the majority of provisions in force from February 5, 2026, and further obligations in effect June 19, 2026.
- The DUAA amends the UK GDPR, the Data Protection Act 2018, and PECR. It does not replace them; businesses compliant with the existing framework are not starting from scratch.
- A new seventh lawful basis, recognised legitimate interests, removes the need for a balancing test for defined public-interest purposes, but does not cover commercial activities such as marketing.
- Five new exemptions from cookie consent now apply, including analytics cookies used solely for aggregate statistics, though advertising-related uses remain outside the exemptions.
- PECR penalties are now aligned with UK GDPR levels: up to GBP 17.5 million or 4 percent of global annual turnover, whichever is higher, with the previous requirement to prove substantial damage and distress removed.
- The ICO has gained significantly expanded investigatory powers, including compelled interviews, approved-person reports at the organization’s expense, and specific document production notices.
The UK’s Data (Use and Access) Act 2025 (DUAA) became law on June 19, 2025, and as of mid-2026 is now substantially in force. Provisions were phased in across a 12-month window, with the final provisions active by June 2026.
For businesses operating in the UK, or serving UK users from anywhere in the world, the question is no longer whether to prepare but how urgently. The DUAA brings a combination of genuine compliance flexibility and substantially higher enforcement risk, and understanding both sides of that equation is now a business-critical priority.
What the DUAA Is and What It Isn’t
The DUAA amends, but does not replace, the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). Businesses already compliant with those frameworks are not starting from scratch.
The DUAA does, however, introduce enough material changes and meaningfully higher enforcement risk that treating it as a minor housekeeping update would be an error.
If you serve UK customers and process their data, the DUAA applies regardless of what country your business is based in. Extraterritorial scope is not new to data protection law, but it is worth stating clearly: global businesses with a UK user base are in scope and need to act accordingly.
Key Compliance Changes with the DUAA
The DUAA introduces eight material changes to the UK data protection framework, spanning lawful bases, automated decision-making, data subject rights, cookie compliance, and ICO enforcement powers. The sections below address each in turn.
1. A New Lawful Basis: Recognised Legitimate Interests
The DUAA introduces a seventh lawful basis for processing personal data. Unlike the existing legitimate interests basis, where the recognised legitimate interests condition applies there is no need to conduct a balance test, provided the processing meets a condition set out in Annex 1.
Eligible purposes include protecting public security, detecting or preventing crime, and safeguarding vulnerable individuals. Recognised legitimate interests do not extend to commercial processing.
Marketing activities, intra-group data sharing, and network security measures remain legitimate interests under Article 6(1)(f), requiring a full assessment including balancing organizational interests against data subject rights.
Businesses should audit their existing processing activities to identify where this new basis might simplify their legal justifications, and update their Records of Processing Activities (RoPAs) and privacy notices accordingly.
2. Changes to Automated Decision-Making
The new approach to automated decision-making (ADM) moves to a permission-but-with-safeguards regime for decisions not involving special category data, meaning certain decisions may no longer be subject to the more severe restrictions that previously applied.
Significant automated decisions no longer require explicit consent when special category data such as health or ethnicity is not involved. Safeguards remain in place: you must still provide notice of automated decisions, offer a right to contest them, and provide human review on request.
Organizations may now rely on any lawful basis, including legitimate interests, for automated decision-making, subject to appropriate safeguards being in place. However, recognised legitimate interests is explicitly prohibited as a lawful basis for significant automated decisions.
3. Data Subject Requests: Clarified Clock-Stopping
The DUAA establishes that controllers need only carry out reasonable and proportionate searches for information and personal data in response to a data subject access request (DSAR).
The DUAA also clarifies that the response deadline for data subject requests starts when the organization receives the request, any further information requested to verify the requestor’s identity, or a fee if the organization has requested one for a manifestly unfounded or excessive request. This codifies the ICO’s existing guidance on stopping the clock, giving it statutory weight.
4. Cookie and ePrivacy Changes
Cookie compliance is one of the most significant practical areas of change under the DUAA, on both sides of the ledger. Five new exemptions from the cookie consent requirement now apply:
- Analytics cookies for collecting aggregate statistics to improve services
- Security cookies for fraud prevention and device security
- Functionality cookies for enhancing service features
- Software update cookies
- Interface customization cookies
The analytics exemption is particularly significant. If your sole purpose is collecting aggregate statistics to improve your website, you can now run analytics without consent. There are conditions, however: you must clearly explain the use, offer a simple, free way to opt out, and ensure the data cannot be used to identify individual visitors. The ICO has been explicit that advertising-related activities sit outside these exemptions.
The DUAA also expands the scope of the cookie rules to include those who instigate the storage of or access to information on devices, not just those who place cookies directly. This broadens the category of organizations with potential liability in ways that are not always obvious from a straightforward reading of the old rules.
Learn more about cookie consent and what a compliant cookie policy needs to include.
5. Re-use of Personal Data: Expanded Compatibility
The rules on re-purposing personal data have been clarified and broadened, with wider circumstances now considered compatible with the original purpose of collection. These include scientific research, historical research and statistical purposes, public security, and detecting, investigating, or preventing crime.
This is a meaningful change for organizations engaged in research or data-sharing partnerships, as it reduces the compliance burden of demonstrating compatibility for these use cases.
Learn more: Are cookies personal data? Here’s everything you need to know.
6. Complaints Handling Requirements
The DUAA requires organizations to take steps to help individuals who want to make complaints about how their personal information is used, such as providing an electronic complaints form. Organizations must also acknowledge complaints within 30 days and respond without undue delay.
This obligation comes into force June 19, 2026. Organizations should review their complaints process, resource it appropriately, and/or revise their privacy notices accordingly.
7. Children and Online Services
If you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account when deciding how to use their personal information. Businesses already conforming to the ICO’s Age Appropriate Design Code should be well-positioned, but those that have not engaged with that framework need to act.
8. International Data Transfers: New Terminology
A new UK test for data bridges, formerly known as adequacy, also enters into force. The test is now whether the standards of data protection in a destination country are “not materially lower” than those applicable under the UK GDPR.
This is a terminology and framing shift as much as a substantive one, but privacy notices, transfer impact assessments, and data processing agreements that reference the old adequacy framework will need updating.
Learn how the UK framework now diverges from its EU counterpart in our UK GDPR vs EU GDPR guide.
Enforcement: A Materially Stronger Regulator
The DUAA significantly expands both the ICO’s investigatory powers and the financial penalties available to it. The changes affect PECR enforcement, data subject rights, and the regulator’s ability to compel evidence and cooperation.
Dramatically Higher Penalties for PECR Breaches
Previously, PECR breaches such as unlawful direct marketing were subject to lower penalties. Now, businesses face fines of up to the greater of GBP 17.5 million or four percent of their global annual turnover for PECR violations.
The requirement to establish that a contravention of PECR has caused substantial damage and distress has also been removed, making it easier for claimants to bring claims.
The practical consequence: cookie and direct marketing compliance now carry the same financial exposure as a major data security breach. Businesses that have been taking a risk-based view on PECR requirements, particularly around analytics and marketing cookies, need to substantially revise that risk assessment.
The ICO’s active review of the UK’s top 1,000 websites for cookie compliance underscores that enforcement in this area is not theoretical.
Expanded ICO Investigatory Powers
The DUAA confers significant new regulatory powers on the ICO, including the ability to compel witnesses to attend interviews, require the production of technical reports, and impose substantial penalties. In practical terms this covers three main areas.
Interview Notices
The DUAA introduces a new power allowing the ICO to compel a person to attend an interview and answer questions if they work, or have worked, for or on behalf of an organization subject to data protection law.
This applies if the ICO suspects that a person or organization has failed to comply with data protection law or has committed an offence under it.
Approved Person Reports
The ICO can now require controllers to appoint an approved person to report on specified topics, such as forensic analysis of a data breach. If an organization fails to nominate anyone within the specified timescale, the ICO is empowered to approve a suitable person itself.
Document Production Notices
The ICO can now require specific documents to be provided, rather than just categories of information.
These investigative powers can be used to examine conduct that occurred before the commencement date. The new enforcement powers, however, generally only apply to conduct after February 5, 2026.
How the ICO Will Approach Enforcement During Transition
The ICO has signalled a measured approach during the early transition period. It has confirmed it will apply the law as it stood at the time an infringement occurred, and will take into account the guidance available at the relevant time when assessing potential non-compliance.
Where the ICO is considering regulatory action on alleged non-compliance with an existing provision that is being removed, amended, or replaced with a similar provision under the DUAA, it will make a judgment on whether to proceed under the old provision or, where there is ongoing non-compliance, consider action under the new provisions.
That measured tone does not mean light-touch enforcement overall. Between January and June 2025, two-thirds of ICO penalties addressed UK GDPR infringements rather than marketing violations, with the regulator increasingly prioritising systemic data protection failures at large organizations.
The elevation of PECR penalties to GDPR-equivalent levels signals that ePrivacy enforcement will receive renewed attention alongside security failures going forward.
DUAA Compliance Actions: Where to Start
The DUAA introduces changes across lawful bases, cookie compliance, automated decision-making, data subject rights, and ICO enforcement powers, and most of them are already in force. The practical question for most businesses is not whether action is required, but where to direct effort first.
The following are the highest-priority areas. Not every organization will face the same exposure, but the combination of new flexibility and substantially higher penalties means that a triage approach — starting with cookie compliance and privacy documentation — is likely to be the most defensible use of limited compliance resources.
Update Privacy Notices and RoPAs
The introduction of recognised legitimate interests, changes to automated decision-making, the new data transfer test, and the forthcoming complaints procedures all require corresponding updates to privacy information and records of processing.
Audit Cookie Compliance
With PECR penalties now aligned with UK GDPR levels:
- Review consent banners to ensure that accept and reject options have equal prominence
- Verify that non-essential cookies do not fire before consent
- Consider whether DUAA exemptions might apply to analytics or functionality cookies
A consent management platform like Usercentrics CMP automates cookie scanning, categorization, and blocking until valid consent is obtained, and maintains the audit-ready consent records you will need if the ICO investigates you.
Review Automated Decision-Making Processes
Verify that your automated systems meet the updated requirements, and implement the necessary safeguards, particularly where special category data is not involved and you plan to rely on the new, more flexible regime.
Revise DSAR Handling Procedures
Update workflows to include the clarification step, and train staff on when requesting clarification is appropriate and how to document the clock-stopping period correctly.
Prepare Your Complaints Process
Implement a compliant complaints mechanism, including an electronic form, a 30-day acknowledgment workflow, and a process for responding without undue delay. The deadline is June 19, 2026.
Brief Your DPO and Legal Team on the ICO’s Expanded Enforcement Toolkit
The ICO’s expanded powers include requirements to commission reports by approved persons at the organization’s expense and issue interview notices compelling individuals to attend and answer questions.
Early legal engagement helps protect the position, support procedural compliance, and identify mitigation opportunities.
The Bigger Picture
The DUAA is the UK’s first significant departure from EU-derived data protection law since Brexit. Its intent is to reduce administrative burden while preserving fundamental protections and, critically, maintaining the UK’s data adequacy status with the EU.
Whether it achieves that balance will become clearer as ICO guidance continues to be published and enforcement begins in earnest.
While substantial changes to existing data protection frameworks are not required immediately in all cases, organizations should stay informed and proactive. Compliance under the DUAA will require ongoing review as the regulatory position develops through the remainder of 2026.
For businesses managing consent, running cookies or direct marketing, or processing personal data at scale, the combination of new flexibility and dramatically higher penalties makes this a moment to invest in compliance infrastructure, not defer it.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
