What the Act actually is
The Data (Use and Access) Act received Royal Assent in June 2025 and is the UK's first significant divergence from the GDPR framework it inherited from the EU. Crucially, it is an amending Act: it edits UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR) rather than replacing them. The principles, lawful bases, breach reporting duties and individual rights you already know remain in place.
Two practical points before the detail. First, the Act is being commenced in phases through 2025 and 2026, so some provisions are live while others still await commencement regulations and regulator guidance; check the current status before changing anything. Second, the reforms were deliberately designed to preserve the UK's EU adequacy status, which keeps personal data flowing from Europe without extra paperwork, and the European Commission has moved to renew adequacy following the Act. Nothing here is a licence to relax.
Cookies: consent exemptions arrive, and fines get serious
The most visible change for website owners is to cookie rules. The Act creates exemptions from the consent requirement for specified low-risk purposes, including first-party analytics used for statistical purposes and cookies that remember user preferences or improve appearance and functionality, provided users are clearly informed and given a simple way to object. Strictly necessary cookies were already exempt. Third-party advertising and cross-site tracking still require consent, so most consent banners are shrinking rather than disappearing.
The trade-off is enforcement. PECR fines were previously capped at £500,000; the Act aligns them with UK GDPR levels, up to £17.5 million or 4 per cent of global turnover. Sloppy marketing consent and nuisance messaging just became dramatically riskier.
Practical advice: do not rip out your cookie banner yet. Wait for the relevant provisions to be commenced and for the regulator's updated guidance, then reassess which categories on your site still need consent.
Need a hand with this?
Our team delivers Analytics & Data for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →
Subject access requests become more workable
Small firms often dread subject access requests because a single request can consume days. The Act codifies two helpful positions. Searches now only need to be reasonable and proportionate, putting sensible limits on how far you must dig. And the response clock can pause, a stop-the-clock mechanism, while you wait for the requester to clarify their request or confirm their identity. The standard one-month deadline itself is unchanged.
- Update your SAR procedure to record what you searched and why that scope was proportionate.
- Use the clarification pause properly: ask focused questions early, not on day 27.
- Train whoever monitors your main inbox to recognise a SAR, since requests need no special format.
Automated decisions: more room, with strings attached
The old Article 22 of UK GDPR operated as a near-ban on significant decisions made solely by automated means. The Act relaxes this. For most personal data, significant automated decisions are now generally permitted, provided safeguards are in place: people must be told a decision was automated, be able to make representations, and be able to obtain human review. The stricter regime remains for special category data such as health information.
For a small firm adopting AI, this matters. Automated credit checks, CV screening or eligibility scoring become easier to operate lawfully, but the safeguards must genuinely function. A human reviewer who rubber-stamps every machine decision will not satisfy the requirement.
Smaller changes worth knowing about
- Recognised legitimate interests. A new lawful basis covers a short list of purposes, including crime prevention, safeguarding and emergencies, without the usual balancing test.
- International transfers. Transfers are assessed under a new data protection test: the destination's standard must not be materially lower than the UK's. Expect updated guidance rather than immediate upheaval.
- Complaints come to you first. Controllers must offer people a clear route to complain directly and must respond; the regulator expects to be the second stop, not the first.
- A restructured regulator. The Information Commissioner's Office is being reconstituted as the Information Commission, with modernised duties and governance.
- Charity soft opt-in. Charities gain a version of the email marketing soft opt-in previously available only to businesses, letting them email existing supporters about similar activities with a clear opt-out.
Key Takeaway
The DUAA is an amendment to UK GDPR, not a replacement, and it is commencing in phases. The biggest practical shifts: consent exemptions for low-risk cookies such as first-party analytics, PECR fines rising to UK GDPR levels, reasonable and proportionate subject access searches with a stop-the-clock pause, and relaxed rules on automated decision-making with mandatory safeguards. Hold off on cookie banner changes until commencement and regulator guidance, but update your SAR and complaints procedures now.
Your action list if you were already compliant
For a firm that already meets UK GDPR, this is an afternoon of housekeeping rather than a compliance project.
- 1. List where the changes touch you: cookies and analytics, SAR handling, any automated decisions, marketing consent, international transfers.
- 2. Leave your cookie banner as it is until the exemptions are commenced and guidance lands, then simplify it deliberately.
- 3. Rewrite your SAR procedure to include proportionate-search records and the stop-the-clock steps.
- 4. If you use automated scoring or AI screening anywhere, document the safeguards now: notification, representations, human review.
- 5. Add a short data protection complaints procedure to your website and privacy notice.
- 6. Re-audit marketing lists and consent records; PECR breaches now carry UK GDPR-scale fines.
- 7. Diarise a policy review for when the remaining commencement regulations arrive.
If your analytics, consent tooling or marketing stack needs untangling to match the new rules, our team can help.
