The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. If you haven't heard of it, you're not alone — it didn't get the fanfare that GDPR did. But it's the biggest change to UK data protection law since Brexit, and some of its provisions are already in force.
The DUAA amends three pieces of legislation you're almost certainly subject to: the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). If your business has a website, sends marketing emails, or handles personal data — which is effectively every business — this affects you.
Here's what's actually changed, what's coming next, and what you need to do about it.
What the DUAA is (briefly)
Full name: Data (Use and Access) Act 2025 (legislation.gov.uk). It's a substantial piece of legislation that covers everything from smart data schemes to digital identity. But for the average business, three changes matter more than the rest.
The implementation is phased. Some provisions came into force on 5 February 2026. Others — including the complaints process requirement — are expected around June 2026, confirmed via a commencement order from the government (GOV.UK commencement plan).
Change 1: Cookie rules have been relaxed (with caveats)
This is the change you'll notice most immediately.
Under the old rules, you needed user consent for virtually all cookies except those strictly necessary for the website to function. That's why every website in the UK has a cookie banner. That's why your visitors click "accept" without reading anything. The system was technically compliant and practically useless — informed consent in theory, banner fatigue in reality.
The DUAA introduces new categories of cookies that can now be set without explicit consent:
- Analytics cookies — for measuring how people use your site and improving your service
- Security cookies — for fraud detection, system protection, abuse prevention
- Functionality cookies — for remembering user preferences and interface customisations
- Software update cookies — for checking and delivering updates
This is good news on the surface. But there are important caveats before you rip out your cookie banner.
It's not a blanket exemption. Each exception has a defined purpose. If you use analytics cookies to build advertising profiles rather than genuinely improve your service, the exception doesn't apply. The purpose must match the category.
Users must still be able to opt out. The consent requirement may be gone for these categories, but the right to refuse is not. Your cookie mechanism still needs to let users decline.
The ICO hasn't published final guidance yet. The consultation closed in September 2025. Final guidance is expected in spring 2026 (ICO — DUAA summary). Until then, the safest approach is to keep your current consent mechanism in place and plan to update it once the guidance lands.
If you're also subject to EU GDPR — because you have EU customers or operate in the EU — the old rules still apply for those users. The DUAA only changes the UK position.
What to do now: Review your cookie implementation. Identify which of your cookies fall into the new exempted categories. Don't remove your cookie banner yet — but prepare to simplify it once ICO guidance is published.
Change 2: You'll need a formal complaints process (by ~June 2026)
This one is straightforward but catches a lot of businesses off guard. Under the DUAA, every organisation that processes personal data must have a formal mechanism for individuals to submit data protection complaints.
The requirements, as outlined by the ICO (ICO guidance), are:
- An electronic form or clear mechanism for people to submit complaints about how you handle their data
- Acknowledgement within 30 days of receiving the complaint
- A response "without undue delay" — the legislation doesn't specify an exact timeframe, but the expectation is reasonable promptness
- Progress updates to the complainant if resolution takes time
If you're thinking "we already have a complaints process" — check whether it specifically covers data protection. A general customer service email doesn't meet the requirement. The mechanism needs to be identifiable as a data protection complaints process and accessible to anyone whose data you process, not just customers.
This provision is expected to come into force approximately 12 months after Royal Assent — so around June 2026. The exact date will be confirmed via commencement order.
What to do now: Set up a dedicated process before June 2026. This doesn't need to be complicated. A specific form or email address (e.g., dataprivacy@yourcompany.co.uk), an auto-acknowledgement, a template response workflow, and a log to track complaints. Add a visible link in your website footer or privacy policy. This is a few hours of setup, not a major project.
Change 3: PECR penalties now match UK GDPR
This is the change that should get the attention of anyone who sends marketing emails, uses cookies, or makes electronic communications — which, again, is nearly every business.
Previously, the maximum fine under PECR was £500,000. That was already significant, but it was a fraction of what the ICO could impose under UK GDPR. This created a strange imbalance: a data breach could attract a fine of millions, but cookie violations or dodgy email marketing topped out at half a million.
The DUAA aligns them. The maximum PECR penalty is now £17.5 million or 4% of global annual turnover, whichever is higher (Mayer Brown analysis).
For a small business, the maximum fine is theoretical — the ICO isn't going to fine a ten-person agency £17.5 million. But the principle matters. PECR compliance is no longer the lower-stakes sibling of GDPR compliance. The ICO now has the same enforcement power across both regimes.
In practical terms, this means:
- Email marketing lists need to be properly consented. Bought lists, scraped addresses, and "we assumed you'd want to hear from us" are all liabilities now worth significantly more attention.
- Cookie compliance carries real financial risk. Not just reputational — actual monetary penalties.
- Electronic communications broadly — SMS marketing, automated calls, fax (yes, still) — all fall under the enhanced penalty regime.
What to do now: Audit your marketing practices. Where did your email list come from? Do you have documented consent? Is your unsubscribe mechanism working? If you've been treating PECR compliance as optional, this is the point where it becomes mandatory in practice as well as law.
Who needs to care most
The honest answer is: almost everyone. But some businesses are more exposed than others.
Any business with a website — cookies, analytics, consent mechanisms. The rules have changed. Even if the change is in your favour (fewer consent requirements for certain cookies), you still need to update your implementation.
Any business that sends marketing emails — the penalty ceiling has increased by a factor of 35. That changes the risk calculation.
Any business that handles personal data — the complaints process requirement applies to you. If you process names, email addresses, employee records, or customer data, you need a mechanism for people to raise concerns.
Any business subject to both UK and EU regulation — the DUAA creates divergence between UK and EU data protection rules, particularly around cookies. If you serve both markets, you may need different approaches for UK and EU users.
A practical timeline
Now:
- Review your cookie consent mechanism — identify cookies that may fall under the new exemptions
- Audit your email marketing compliance — consent records, unsubscribe process, list hygiene
- Review your privacy policy — does it reflect the current legal landscape?
Before spring 2026:
- Watch for the ICO's final guidance on cookie consent exceptions
- Don't make major changes to your cookie banner until that guidance lands
Before June 2026:
- Set up a formal data protection complaints process
- Make it visible and accessible on your website
- Create templates for acknowledgement and response
- Designate someone responsible for handling complaints
Ongoing:
- Update your privacy policy as new provisions come into force
- If you use automated decision-making, review the DUAA's expanded provisions on legitimate interests
- Keep records of everything — consent, complaints, responses, changes
The bigger picture
The DUAA is part of a broader shift in UK data regulation. The government is trying to balance two things: making data easier for businesses to use (hence the cookie relaxations and streamlined consent) while making enforcement more serious (hence the penalty alignment).
For small businesses, the net effect is mixed. You'll probably have a simpler cookie setup eventually. But you'll also need a complaints process you didn't need before, and the consequences of getting PECR wrong have increased dramatically.
The businesses that will be fine are the ones that take an afternoon to review their setup, make the necessary changes, and move on. The businesses that will have problems are the ones that assume this doesn't apply to them — right up until they get a complaint they can't handle or an ICO inquiry they're not prepared for.
An afternoon now. Or a much worse afternoon later. Your choice.