UK Data (Use and Access) Act 2025: What It Means for Privacy Compliance

The UK Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. The legislation amends the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR), reducing administrative burdens on businesses while maintaining core privacy protections for individuals.

UK Data (Use and Access) Act 2025: What It Means for GDPR Compliance

Recognised Legitimate Interests: A New Lawful Basis

One of the most significant changes introduced by the DUAA is a new category of lawful basis for processing personal data: "recognised legitimate interests" (Article 6(1)(ea)).

Under the UK GDPR, the existing legitimate interests basis requires organisations to complete a Legitimate Interests Assessment (LIA) to weigh their interests against the rights of individuals. The DUAA removes this requirement for specific activities that are deemed automatically lawful, including:

• Prevention, detection, and investigation of crime
• Safeguarding vulnerable individuals
• Responding to safeguarding emergencies
• National security and public defence
• Assisting bodies delivering public interest tasks sanctioned by law

For activities such as direct marketing, intra-group data sharing, and network security, a Legitimate Interests Assessment is still required. However, businesses in sectors such as finance, social media, and retail gain broader flexibility when processing for fraud prevention and IT security.

Cookie Consent: Fewer Requirements for Low-Risk Cookies

The DUAA amends PECR to expand the list of cookie uses exempt from the consent requirement. These changes came into force on 5 February 2026. The following categories no longer require prior consent:

• Analytics cookies used solely to collect aggregate statistics to improve a service
• Functionality cookies used solely to enhance service features or tailor user experience
• Security cookies used for fraud prevention or device security
• Software update cookies used solely to deliver updates

This aligns with a direction that the UK had signalled since 2022, when the government first proposed removing cookie consent pop-ups for low-risk activities such as audience measurement. Organisations that have been relying on consent banners for these cookie categories will need to review whether those banners remain necessary, though best practice still recommends transparent disclosure of all cookie use.

The maximum penalty for cookie-related non-compliance has increased substantially to the greater of £17.5 million or 4% of an organisation's total annual worldwide turnover, up from the previous £500,000 cap under PECR.

Data Subject Access Requests: A More Proportionate Standard

Previously, organisations faced significant operational challenges responding to Data Subject Access Requests (DSARs), particularly where data was held across many systems. The DUAA codifies a "reasonable and proportionate" search standard, meaning controllers are not required to conduct exhaustive searches of every system for every request.

This brings the statutory standard in line with guidance that the Information Commissioner's Office (ICO) had already published, but it now carries legal force. Organisations should document their DSAR search methodology to demonstrate compliance with this standard. The Act also requires transparency where legal privilege or confidentiality obligations prevent disclosure.

Automated Decision-Making: Reduced Restrictions

Under the pre-existing UK GDPR, individuals had protections against solely automated decisions that produced legal or similarly significant effects. The DUAA narrows these protections so that they apply only where special category data (such as health data, racial or ethnic origin, biometric data, or religious beliefs) is involved.

For decisions based solely on non-special category data, the prior restrictions are removed. However, new safeguards apply even in those cases: data subjects gain the right to make representations and to request that a human review any automated decision that affects them. For decisions involving special category data, the prior protections remain in full. This diverges from EU GDPR, which retains broader protections regardless of whether special category data is involved. Organisations operating across both the UK and EU will need to maintain separate compliance approaches for automated decision-making.

Regulatory Structure and Complaint Rights

The DUAA restructures the Information Commissioner's Office, which will be rebranded as the "Information Commission." The governance structure changes from a single Commissioner to a Chair-led board model, intended to improve accountability and strategic oversight of UK data protection regulation.

From 19 June 2026, consumers will also gain a statutory right to lodge complaints directly with data controllers under section 164A of the DPA 2018 (inserted by section 103 of the DUAA). Organisations will be required to acknowledge complaints within 30 days and respond without undue delay. This is a new operational obligation, and businesses should prepare internal complaint-handling processes well in advance of that deadline.

Purpose Limitation and Research Definitions

The DUAA introduces a new Article 8A, which sets out the conditions under which further processing of personal data is compatible with the original purpose. A separate lawful basis is still required for any further processing. Article 8A establishes that further processing will be treated as compatible in certain circumstances: where the data subject has consented to the new purpose, where the purpose is scientific or historical research or archiving in the public interest, or where the purpose falls within the additional categories listed in Annex 2 of the Act. This gives organisations more flexibility to use data collected for one purpose for related secondary purposes, provided the conditions are satisfied.

The definition of "scientific research" has also been broadened to include privately funded and commercial research activities. This is relevant for organisations conducting market research, clinical studies, or data-driven product development, as it extends the research exemptions that were previously more narrowly applied.

International Data Transfers: Relaxed Standard

The DUAA adjusts the standard for international data transfers from requiring "essentially equivalent" protection to a less demanding "not materially lower" standard. In practice, the current government has indicated no immediate plans to approve transfers to new countries on the basis of this change. The EU adequacy decisions for the UK were reviewed and renewed in December 2025 and now run until December 2031, with the European Commission concluding that the UK's data protection framework, including the DUAA, remains essentially equivalent to EU standards. Businesses with cross-border data flows should nonetheless keep the growing divergence between UK and EU rules under review.

Implications for UK Businesses

The practical effect of the DUAA for most organisations will be in four areas:

1. Reduced LIA obligations for fraud prevention, IT security, and direct marketing in specific circumstances
2. Simplified DSAR responses through the proportionate search standard
3. Revised cookie strategies for analytics and functionality cookies
4. New complaint-handling processes before June 2026

Organisations operating across both the UK and EU must be careful not to apply DUAA changes to EU-facing operations, where the EU GDPR continues to apply in full. The divergence between UK and EU rules is growing, particularly around automated decision-making and international transfers.

Use UniConsent to Stay Compliant with UK Data Protection Rules

UniConsent CMP helps UK publishers and businesses manage consent and cookie compliance in line with the latest regulatory requirements, including the DUAA's updated PECR framework. UniConsent's platform supports configurable consent banners, cookie categorisation, and audit logs to demonstrate compliance with both UK and EU requirements.

If you are reviewing your consent strategy in light of the DUAA, consider the following steps:

• Review your cookie categories: Use the UniConsent Cookie Scanner to identify which cookies on your site may now fall under the new exempt categories.
• Update your privacy notice: Ensure it reflects the DUAA changes to lawful bases, purpose limitation, and your complaint-handling process.
• Prepare for the June 2026 complaint deadline: Put in place a process for acknowledging and responding to consumer complaints within 30 days.
• Audit your DSAR process: Document what a "reasonable and proportionate" search looks like for your organisation.
• Check automated decision-making practices: If you use automated processing involving special category data, verify your safeguards remain in place.

About UniConsent

UniConsent is a certified Consent Management Platform (CMP) by the EU IAB and IAB Canada. It is also a Google-certified CMP Partner at the Gold tier. Contact us to learn more: hello@uniconsent.com