All Blog Posts

UK Data (Use and Access) Act 2025: A Practical Guide for Website Owners

Close
Read time
10 mins
Published
May 25, 2026
Share
  • The UK Data (Use and Access) Act 2025 (DUAA) became law on June 19, 2025, with most provisions applying from February 5, 2026, and a second wave of obligations effective June 19, 2026.
  • The DUAA amends the UK GDPR, the Data Protection Act 2018, and PECR. It does not replace them, so your existing compliance work remains the foundation to build on.
  • A new “recognised legitimate interests” lawful basis allows certain public-interest processing without a balancing test, but commercial activities such as marketing are explicitly excluded.
  • Five categories of cookies are now exempt from consent requirements, including analytics cookies used solely for aggregate statistics, but advertising-related uses remain subject to the same consent rules as before.
  • PECR penalties have increased sharply, now matching UK GDPR levels: up to GBP 17.5 million or four percent of global annual turnover, whichever is higher, with the previous damage-and-distress threshold removed.
  • The ICO can now compel witness interviews, commission forensic reports at your organization’s expense, and require production of specific documents, making audit-readiness more important than ever.

The UK Data (Use and Access) Act 2025 (DUAA) applies to any website that collects data from UK visitors, wherever your business is based. The Act became law in June 2025 and is now substantially in force, with the final tranche of obligations landing in June 2026.

The DUAA is not a wholesale replacement of UK data protection law. It amends the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). But the changes it introduces, particularly around cookie consent exemptions and PECR enforcement, have direct, practical consequences for how websites are operated, and the financial stakes have risen considerably.

What the DUAA Changes and What It Doesn’t

The DUAA works by amending existing UK data protection regulations rather than replacing them. The UK GDPR, the Data Protection Act 2018, and PECR all remain in place. The DUAA modifies them in specific areas.

That is good news for businesses that have already invested in compliance. Your privacy notices, consent mechanisms, and records of processing activities don’t need to be rebuilt. They do need to be reviewed and updated where the DUAA has changed the underlying rules.

The DUAA applies based on whose data you process, not where your business is located. If your website collects data from UK visitors — through cookies, contact forms, analytics tools, or any other means — you’re in scope, regardless of whether your business is based in London or Los Angeles.

The Eight Changes That Matter for Your Compliance

The DUAA introduces eight substantive changes to the UK data protection framework. For website owners and small to mid-sized businesses, some will have immediate operational impact. Others require documentation updates rather than technical changes.

1. Recognised Legitimate Interests: A New Lawful Basis

The DUAA adds a seventh lawful basis for processing personal data. Where the recognised legitimate interests condition applies, there is no requirement to carry out a balancing test. This is a significant simplification for qualifying activities.

The catch is it applies only to a defined list of public-interest purposes, including protecting public security, detecting or preventing crime, and safeguarding vulnerable individuals. Commercial activities — marketing, intra-group data sharing, and network security among them — remain under the existing legitimate interests framework, which still requires a full balancing assessment.

For most website owners, this change doesn’t affect day-to-day operations directly. Where it matters is in your records of processing activities (RoPAs) and privacy notices. Both will need to reflect the expanded lawful basis landscape.

2. Automated Decision-Making: More Flexibility, Same Safeguards

The DUAA moves to a permission-but-with-safeguards model for automated decisions not involving special category data, such as health information or ethnic origin.

Significant automated decisions can now be based on any lawful basis, including legitimate interests. They no longer require explicit consent by default.

The safeguards, however, remain: you must notify individuals when an automated decision has been made, give them the right to contest it, and offer a path to human review on request. Notably, recognised legitimate interests cannot be used as the lawful basis for significant automated decisions.

3. Data Subject Access Requests: Clearer Clock Rules

The DUAA codifies what the Information Commissioner’s Office (ICO) has long recommended in guidance. The one-month response clock for data subject access requests (DSARs) starts when you have received the request, any identity verification information required, and any fee (where applicable). 

Controllers are now only required to carry out reasonable and proportionate searches for the requested information, so excessive compliance burdens are no longer the expectation.

Cookie compliance is one of the most practically significant areas of the DUAA for website owners. Five categories of cookies are now exempt from the consent requirement:

  • Analytics cookies used solely to collect aggregate statistics for service improvement
  • Security cookies for fraud prevention and device security
  • Functionality cookies that enhance service features
  • Software update cookies
  • Interface customization cookies

The analytics exemption is the one most website owners will notice immediately. If you run analytics solely to understand aggregate traffic patterns and improve your site, you no longer need consent, provided you clearly explain the use, offer a simple, free opt-out, and the data cannot be used to identify individual visitors. 

The ICO has been unambiguous that advertising-related analytics sit outside these exemptions.

The DUAA also expands the scope of PECR liability to include organizations that “instigate” the storage of or access to information on devices, not just those who place cookies directly. 

This is a broader category than many businesses have assumed, and worth reviewing if you use third-party tags, advertising scripts, or embedded content.

Learn more about what compliant cookie management looks like in practice. See our guide on cookie consent.

5. Re-Use of Personal Data: Expanded Compatibility

The compatibility rules for repurposing personal data have been broadened. Scientific research, historical research, statistical purposes, public security, and detecting or preventing crime are now more clearly recognized as compatible purposes. This can reduce the compliance burden for organizations involved in research or data-sharing partnerships.

If your business processes data for any of these purposes, review how you’ve documented compatibility in your records of processing activities.

6. Complaints Handling: A New Formal Requirement

From June 19, 2026, organizations must have a mechanism for individuals to raise complaints about how their personal data is handled. This includes: 

  • Providing an electronic complaints form
  • Acknowledging complaints within 30 days
  • Responding without undue delay

This is a new formal obligation, not merely a best practice recommendation. Review your privacy notice to ensure it includes the complaints pathway, and check whether your current processes can meet the 30-day acknowledgment requirement.

7. Children’s Data: Explicit Obligations for Online Services

If your website or digital service is likely to be accessed by children, the DUAA explicitly requires you to take their needs into account when making decisions about their personal data. Businesses already aligned with the ICO’s Age Appropriate Design Code are well-positioned. Those that haven’t engaged with that framework should prioritize it.

8. International Transfers: New Terminology, Same Due Diligence

The DUAA replaces the concept of “adequacy” for international data transfers with a new “data bridge” framework. The test is now whether data protection standards in the destination country are “not materially lower” than UK standards. 

This shift in terminology is more than cosmetic, though it does not represent a wholesale change in substance, and it does require updates to relevant documentation.

Privacy notices, transfer impact assessments, and data processing agreements that reference the old adequacy framework will need updating. For businesses transferring data between the UK and EU, it’s also worth understanding how the UK framework has diverged from its EU counterpart since Brexit.

Enforcement: The DUAA Gives the ICO Substantially More Power

The enforcement changes in the DUAA are, for many businesses, the most consequential aspect of the legislation. PECR penalties have increased dramatically, and the ICO’s investigatory toolkit has expanded in ways that make audit-readiness and documented compliance much more important than before.

PECR Fines Now Match UK GDPR Levels

Previously, the maximum fine for a PECR breach — covering cookies, direct marketing, and electronic communications — was GBP 500,000. That ceiling has now been lifted to match UK GDPR penalties: the greater of GBP 17.5 million or four percent of global annual turnover.

The previous requirement to prove that a PECR breach caused substantial damage and distress has also been removed. The practical effect is that cookie compliance now carries the same financial exposure as a major data security incident. 

If your organization has been managing cookie consent on the basis that PECR enforcement was relatively low-risk, that calculation needs to be revisited.

The ICO’s active review of the UK’s top 1,000 websites for cookie compliance underlines that enforcement in this area is already active, not theoretical.

The ICO’s Expanded Investigatory Powers

The DUAA confers three significant new investigatory powers on the ICO, each of which extends the regulator's reach beyond what was previously available. 

Interview notices

The ICO can now compel any person who works, or has worked, for or on behalf of an organization under data protection law to attend an interview and answer questions. This applies when the ICO suspects non-compliance or an offence under data protection law.

Approved person reports

The ICO can require a controller to appoint a specific individual to produce a report, for example, a forensic analysis of a data breach. If the organization fails to nominate someone within the specified timeframe, the ICO can appoint a suitable person itself. The cost falls on the organization.

Document production notices

Rather than requesting categories of information, the ICO can now require specific documents to be provided.

These investigative powers can be used to examine conduct that occurred before the DUAA’s commencement date. The enforcement powers themselves, however, generally apply to conduct from February 5, 2026 onwards.

How the ICO Has Signalled Its Enforcement Approach

The ICO has indicated a measured approach during the transition period, confirming it will apply the law as it stood at the time of any alleged infringement. Where the regulator is considering action on conduct that straddles old and new provisions, it will exercise judgment on which framework to proceed under.

That measured tone does not imply light-touch enforcement overall. Between January and June 2025, the majority of ICO penalty actions addressed UK GDPR violations rather than PECR breaches. But the alignment of PECR penalties with GDPR levels signals that cookie and direct marketing enforcement will receive renewed focus going forward.

Your DUAA Compliance Checklist

The changes introduced by the DUAA are largely in force already. For website owners and businesses without large in-house compliance teams, the most practical approach is to triage by risk: start with cookie consent and documentation, then work through the remaining obligations.

With PECR fines now at GDPR levels, cookie compliance is the highest-risk area for most websites. Check that:

  • Consent banners give equal visual prominence to accept and reject options
  • Non-essential cookies do not fire before a visitor has given consent
  • You have documentation of what cookies you run, how they’re categorized, and when consent was given
  • You’ve assessed whether any DUAA exemptions apply to your analytics or functionality cookies

A consent management platform like Cookiebot by Usercentrics automatically scans your website for cookies and trackers, categorizes them, blocks non-essential cookies before consent is given, and stores a georeferenced, timestamped record of each visitor’s consent — exactly the kind of audit trail the ICO may request.

Update Privacy Notices and Records of Processing

Review your privacy notice and RoPAs against the DUAA changes:

  • Add recognised legitimate interests where applicable, with appropriate documentation
  • Update the lawful basis descriptions for any automated decision-making
  • Revise transfer descriptions to use the new data bridge terminology
  • Add the complaints handling pathway before June 19, 2026

Review Automated Decision-Making Processes

If your website uses automated tools that make significant decisions, such as credit scoring, content filtering, or personalization engines, verify they meet the updated requirements. Ensure notice, contestation, and human review mechanisms are in place.

Update DSAR Handling Workflows

Confirm that your process reflects the DUAA’s clarified clock-stopping rules. Document the point at which you have received the request plus any required verification, and train the people responsible for handling DSARs on how to record that timeline correctly.

Build Your Complaints Process Before June 2026

Implement an electronic complaints form and establish a workflow that guarantees 30-day acknowledgment. Update your privacy notice to reference it.

Brief Whoever Handles Data Protection Internally

The ICO’s new interview and report powers mean that if the regulator investigates your organization, the scope of what can be compelled is considerably wider than before. Ensure whoever is responsible for data protection in your business understands the implications and knows when to involve legal counsel.

The Broader Context

The DUAA is the UK’s first substantial departure from the EU-derived data protection framework it inherited at Brexit. Its intent is to reduce administrative overhead while preserving the fundamental protections that underpin the UK’s data adequacy status with the EU. This status matters to businesses that transfer data between the two jurisdictions.

How that balance plays out in practice will become clearer as ICO guidance continues to develop and enforcement cases begin to accumulate. The regulatory position is not fully settled, and organizations should monitor guidance updates, particularly on areas such as the analytics cookie exemption and the new complaints requirements.

What is settled is the enforcement landscape: higher penalties, a stronger regulator, and an active ICO interest in cookie compliance across UK websites. For businesses that manage consent and process personal data, the case for investing in compliant infrastructure rather than deferring it has never been stronger.

Cookiebot bg shield
Find My Regulations

Frequently asked questions

The Data (Use and Access) Act 2025 (DUAA) is a UK regulation that updates the country’s data protection and ePrivacy rules. Rather than replacing the UK GDPR, the Data Protection Act 2018, or PECR, it amends them in specific areas including lawful bases for processing, cookie consent exemptions, automated decision-making, and ICO enforcement powers.

The DUAA received Royal Assent on June 19, 2025. The majority of its provisions came into force on February 5, 2026, with further obligations, including the complaints handling requirements, taking effect on June 19, 2026.

Yes. Territorial scope under the DUAA follows the same logic as the UK GDPR: if you collect or process personal data from UK residents, including through website cookies and analytics tools, the regulation applies to you regardless of where your business is based.

Before the DUAA, the maximum penalty for a PECR breach (covering cookies, direct marketing, and electronic communications) was GBP 500,000. That ceiling has been removed and replaced with UK GDPR-level sanctions: the greater of GBP 17.5 million or four percent of global annual turnover. The previous requirement to prove substantial damage and distress has also been removed, making enforcement easier to pursue.

UK GDPR compliance is a strong foundation, but it does not automatically cover all DUAA obligations. The areas most likely to need attention regardless of your existing compliance status are:

  • Cookie consent and PECR practices (given the penalty increase)
  • Privacy notices and RoPAs (to reflect new lawful bases and transfer terminology)
  • Complaints handling processes (required by June 2026)
  • Automated decision-making documentation

The highest-priority actions for most website owners are:

  • Auditing cookie consent banners and blocking practices in light of the new PECR penalty levels
  • Reviewing and updating privacy notices to reflect the DUAA’s changes
  • Assessing whether any of the new cookie exemptions apply to your analytics setup
  • Ensuring you have audit-ready consent records that could satisfy an ICO inquiry

A consent management platform handles much of the technical side of this, including the cookie scanning, blocking, and record-keeping.