The Data (Use and Access) Act 2025: Everything businesses should know 

While the UK officially left the EU at the end of 2020, its efforts to modernise the UK data protection framework have only recently come to fruition. On 19 June 2025, the Data Use and Access Act 2025 (DUAA 2025)  received royal assent and became law.

‍

Several technical provisions came into force between June and September 2025. Still, many of the reforms that will have material implications for businesses (cookies, recognised legitimate interests, and some automated decision-making changes) will be phased in by commencement regulations over the coming months.

‍

Overall, the DUAA makes notable amendments to the three key pillars of the UK data protection law framework: The UK GDPR, the UK Data Protection Act 2018, and the PECR. For instance, the DUAA introduces new cookie consent rules, relaxes the restrictions on automated decision-making, and establishes a digital verification system. 

‍

If your organisation operates in the UK or provides products or services to individuals or organisations based in the UK, it is essential to understand the changes introduced by the DUAA.

‍

In this article, we cover what are the key changes to the UK data protection law under the DUAA 2025, when will the new changes come into force, and how will the DUAA 2025 impact the cookies, consent, and online tracking. Read more to find out how the DUAA 2025 may impact your business operations in the UK. 

‍

What are the key changes to the UK data protection law under the DUAA 2025? 

While its name might suggest that the DUAA is an entirely new law that replaces the UK GDPR, it does not. Instead, it amends specific provisions of the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

‍

Let’s take a closer look at the key changes introduced by the DUAA 2025.

Updated cookie consent rules

The Data (Use and Access) Act 2025 will allow information society service providers, such as websites and mobile apps, to set certain low-risk cookies, such as statistical cookies, without obtaining prior user consent. For example, websites will be able to use cookies that collect information about how visitors interact with the site for the purpose of improving functionality or services. Cookies used to tailor a website’s appearance or features to users’ preferences may also be turned on by default without prior consent.

‍

However, the placement of these cookies on user devices will still be subject to other compliance obligations. Organisations must still provide clear information about the purpose and use of cookies and allow users to opt out at any time.

‍

While these changes ease the rules for certain low-risk cookies and similar technologies, advertising cookies and most tracking tools used for profiling, as well as social media cookies, will continue to require consent under the PECR and the UK GDPR.

‍

Increased PECR fines

The Information Commissioner’s Office (ICO) will now have the power to issue fines of up to £17.5 million or 4% of global annual turnover, bringing PECR penalties in line with the UK GDPR. This marks a substantial increase from the previous maximum penalty of £500,000.

‍

Revised automated decision-making rules

Previously, under Article 22 of the UK GDPR, individuals had the right not to be subject to solely automated decisions, including profiling, where those decisions had legal or similarly significant effects, subject to certain exceptions.

‍

The DUAA removes this general prohibition. Automated decision-making and profiling that produce significant effects will now be permitted in most circumstances. A key exception applies when the decision relies on special-category data such as health, ethnicity, or biometric data.

‍

Even though these decisions are no longer subject to broad restrictions, organisations must still follow certain safeguards. For example, individuals must be able to request that a human review the decision, challenge it, and receive clear information explaining how such decisions are made.

‍

New recognised legitimate interests

The DUAA expands the scope of legitimate interests as a lawful basis by introducing the recognised legitimate interests.

‍

Where a purpose of processing activity falls within one of these recognised categories, organisations will be able to rely on legitimate interests without having to conduct a full legitimate interest assessment if such processing is necessary for the particular purpose. Examples of recognised legitimate interests include crime prevention and detection, and emergencies, as set out in Schedule 4 of the DUAA.

‍

The Secretary of State will commence this provision, and it will have the power to add or remove recognised legitimate interests. Therefore, businesses should monitor changes in this area.

‍

Tightened complaints procedure

Under the DUAA 2025, data subjects will have the right to submit a complaint to a data controller on the basis that the data controller infringed the UK GDPR or Part 3 of the DUAA. 

‍

Controllers will be required to facilitate complaints by taking appropriate steps to investigate the matter, such as providing an electronic complaints form,  acknowledging the complaint within 30 days, and updating data subjects on the outcome of the investigation of alleged infringement. 

‍

Reshaped international transfers rules

The DUAA 2025 introduces two significant changes to the UK’s international data transfer framework.

‍

1. It authorises the Secretary of State to approve data transfers to third countries or international organisations through regulations. Previously, such transfers relied on formal adequacy decisions.
2. The Act replaces the former “essentially equivalent” data protection standard with a new test. Under the latest test, the Secretary of State must determine whether the level of protection for data subjects in the destination country or organisation is not materially lower than that provided under the UK data protection law.

‍

Although the wording has been revised, whether the shift in terminology will have any material impact will depend on how the Secretary of State implements this through regulations.

‍

More flexible Data Subject Access Requests (DSARs)

The DUAA introduces the “stop the clock” mechanism, which will allow organizations to pause the Data Subject Access Request (DSAR) response time when they need additional information from data subjects.

‍

Additionally, section 78 of the DUAA clarifies that the data subject’s right to access his/her personal data is limited to the information that a data controller can provide based on a reasonable and proportionate search for the requested data. While this reflects existing ICO guidance, the DUAA gives the already-established principle statutory force. Learn more about DSARs in our complete guide:

‍

{{learn-everything-you-need-to-know-about-dsar}}

‍

Expanded ICO powers

The DUAA grants the ICO additional enforcement powers, including the power to compel witnesses to attend interviews and to require organisations to produce technical reports.

‍

Digital verification services introduced

The DUAA establishes a new regulatory framework and imposes new requirements on the digital identity verification services.

‍

Establishment of the Information Commission

Section 117 of the DUAA 2025 establishes the Information Commission and provides that it will replace the Information Commissioner’s Office.

‍

When will the changes come into force? 

While the Data Use and Access Act became law on June 19, 2025, only some of its technical provisions came into force. Most of them will take effect through commencement regulations that will be issued by the Secretary of State.

‍

The Government plans to implement the provisions of the Act in 4 main stages. As of November 2025, the Secretary of State has implemented specific regulations for stages 1 and 2. For instance, the regulation for the retention of information by internet service providers concerning the death of a child came into effect in September 2025. 

‍

However, amendments most relevant to businesses, such as recognized legitimate interests and the relaxation of cookie consent rules and automated decision-making, have not yet entered into force. Bbusinesses should closely monitor the rollout of the DUAA 2025 commencement regulations, which can be tracked here. 

‍

How will the DUAA 2025 impact the cookies, consent, and online tracking? 

If you have a website, mobile app, or another online platform targeted at UK users, you need to familiarize yourself with the new changes to the cookie consent and transparency requirements.

‍

Firstly, the DUAA 2025 removes the prior consent requirement for certain low-risk cookies and similar technologies. For instance, if you use cookies and similar tools to collect and process information about how individuals use your platform and services for service improvement purposes or to tailor your website's appearance and functionality to your users’ preferences, you will not need prior consent from users. 

‍

However, this is not an unrestricted exemption: you will still need to inform users, and higher-risk cookies such as advertising and social media cookies will continue to require consent under PECR and the UK GDPR. In addition, you will still be required to provide users with information about the purposes of cookies and to give them the choice to opt out of their use at any time. 

‍

In other words, while the regime is more flexible for specific technical or low-risk cookies, you will still need a robust mechanism that ensures transparency and allows users to object or disable these cookies at any time.

‍

How Didomi can help with DUAA compliance

While the DUAA makes it easier for businesses to deploy certain low-risk cookies (for example, statistical/analytics and some personalisation cookies) without prior user consent, it still requires organisations to provide clear transparency about the purpose and use of those cookies and to offer users an easy mechanism to opt out.

‍

Moreover, advertising cookies, most third-party trackers, and social-media plugins will continue to require prior consent under PECR and the UK GDPR.

‍

Given that the maximum PECR penalty has been raised to £17.5 million or 4% of global turnover, organisations must ensure they correctly classify cookies and maintain a compliant cookie/consent mechanism that aligns with PECR and UK GDPR requirements.‍

‍

Our Consent Management Platform (CMP) allows global organizations to collect consent and maintain records of it all, as part of a comprehensive set of privacy-preserving solutions that include privacy request management, first-party data management, compliance monitoring, and server-side tagging. 

‍

Additionally, our Managing Director UK & Ireland, Nial Ferguson, highlights the importance of partnering with trusted experts to navigate constant changes in data protection regulations, not only in the UK but around the world:

‍

The DUAA is a reminder that data protection law in the UK is evolving. While some low-risk cookies may no longer need prior consent, PECR and UK GDPR still impose strict rules on advertising and tracking technologies, and the stakes have only risen with PECR fines now aligned to GDPR levels.

That’s why it’s so important for organisations to work with trusted partners like Didomi to interpret these changes correctly, and why nobody should assume this means the end of cookie banners.

Nial Ferguson, Managing Director UK & Ireland at Didomi

‍

Get in touch with our team to discuss your privacy challenges and find out how our solutions can help you comply with the UK data protection laws:

‍

{{talk-to-an-expert}}

‍

Frequently Asked Questions (FAQ) 

Does the Data Use and Access Act 2025 replace the UK GDPR? 

While its name may suggest that the DUAA is a brand-new law that will replace the UK GDPR, it is far from the truth. 

‍

The DUAA 2025 will amend certain provisions of the UK GDPR, UK Data Protection Act 2018, and the PECR. 

‍

Does the Data Use and Access Act 2025 (DUAA) increase the maximum amount of fines under the PECR? 

The new Act will grant the UK privacy regulator, the ICO, the power to issue fines of up to £17.5 million or 4% of global turnover under the PECR, the primary law governing cookies and similar technologies.  Under the previous regime, the upper limit was £500,000.  

‍

Does the DUAA 2025 relax requirements on certain cookies? 

Yes. The Data Use and Access Act will allow information society service providers, such as websites and mobile apps, to set certain statistical cookies and similar technologies without prior user consent. For example, websites will be permitted to use cookies to collect information about how visitors interact with their website with a view to improving services or the website without user consent. 

‍

Does the DUAA 2025 only amend UK data protection legislation?

The Data (Use and Access) Act 2025 (DUAA 2025) extends beyond data protection by addressing a range of matters, including the national underground asset register, law enforcement processing, smart data schemes, and digital verification services.