UK DUAA: UK Data (Use and Access) Act 2025

The UK Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. The legislation amends the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR), cutting administrative overhead for businesses while keeping core privacy protections in place.

UK Data (Use and Access) Act 2025: What It Means for Privacy Compliance

Recognised Legitimate Interests: A New Lawful Basis

The DUAA creates a new lawful basis for processing personal data: recognised legitimate interests (Article 6(1)(ea)).

Under the previous UK GDPR framework, every organisation relying on legitimate interests had to complete a Legitimate Interests Assessment (LIA), a balancing exercise weighing business needs against individual rights. The DUAA removes that requirement for specific activities now deemed automatically lawful:

• Prevention, detection, and investigation of crime
• Safeguarding vulnerable individuals
• Responding to safeguarding emergencies
• National security and public defence
• Assisting bodies delivering public interest tasks sanctioned by law

Direct marketing, intra-group data sharing, and network security don't make that list, so an LIA is still required for those. But for businesses in finance, social media, and retail processing data for fraud prevention or IT security, the new basis removes a meaningful compliance step.

Cookie Consent: Fewer Requirements for Low-Risk Cookies

From 5 February 2026, four cookie categories no longer require prior consent under the DUAA's amendments to PECR. Analytics cookies, functionality cookies, security cookies, and software update cookies all fall under the new exempt categories, provided each is used only for its stated purpose. A security cookie repurposed for behavioural tracking, for example, would still require consent.

The UK government had been signalling this direction since 2022, when it first proposed removing consent pop-ups for low-risk activities like audience measurement. If you've been using consent banners for these categories, they may no longer be legally required. But dropping the banner doesn't drop the obligation. You still need to tell users what cookies you're running and give them a clear way to opt out.

One number worth keeping in mind: the maximum penalty for cookie non-compliance has jumped from £500,000 to the greater of £17.5 million or 4% of global annual turnover. The exemptions are narrower than they might appear, and the consequences of misapplying them are considerably higher than before.

Data Subject Access Requests: A More Proportionate Standard

Responding to Data Subject Access Requests (DSARs) across sprawling data environments has long been one of the more operationally painful parts of UK GDPR compliance. The DUAA codifies a "reasonable and proportionate" search standard, meaning you're no longer expected to conduct exhaustive searches of every system for every request. The ICO had already recommended this approach in guidance, but now it carries statutory force. Document your DSAR search methodology so you can show regulators what a proportionate search looks like for your organisation. Where legal privilege or confidentiality obligations prevent full disclosure, the Act requires you to be transparent about that fact. The DUAA also introduces a clock-pausing mechanism. Where a request is unusually complex or requires clarification from the data subject, you can pause the one-month response window. The previous framework only allowed a fixed two-month extension and did not permit pausing the clock at all.

Automated Decision-Making: Reduced Restrictions

The pre-existing UK GDPR gave individuals strong protections against solely automated decisions with legal or similarly significant effects. The DUAA narrows those protections to situations involving special category data: health data, racial or ethnic origin, biometric data, religious beliefs, and similar.

For decisions based purely on non-special category data, those restrictions are gone. But the safeguards that replace them are not trivial. Data subjects gain the right to make representations and to request human review of any automated decision affecting them.

Where special category data is involved, nothing changes and the full prior protections apply. If you operate across both the UK and EU, the EU GDPR still retains broader automated decision-making protections regardless of data category. You'll need separate compliance approaches for each jurisdiction.

Regulatory Structure and Complaint Rights

The Information Commissioner's Office is being rebranded as the Information Commission, shifting from a single-Commissioner model to a Chair-led board. The governance change is intended to strengthen accountability, but the more immediate operational shift is in enforcement capability. The Information Commission gains two significant new powers: binding assessment notices that can require organisations to prepare investigation reports on data security matters, and interview notices compelling individuals to provide testimony during investigations. Both powers apply across UK GDPR and PECR, giving the regulator a more direct route into data incidents without depending on voluntary cooperation. From 19 June 2026, individuals gain a statutory right to lodge complaints directly with data controllers under section 164A of the DPA 2018. You'll be required to acknowledge complaints within 30 days and respond without undue delay. If your organisation doesn't already have a formal complaint-handling process for data matters, build one before that deadline.

Purpose Limitation and Research Definitions

The DUAA introduces Article 8A, setting out when further processing of personal data is compatible with the original collection purpose. A separate lawful basis is still required for any secondary use, but Article 8A establishes three circumstances where further processing is treated as compatible: where the data subject has consented to the new purpose, where the purpose is scientific or historical research or archiving in the public interest, or where it falls within the additional categories listed in Annex 2 of the Act.

The definition of scientific research has also been broadened to cover privately funded and commercial research. If your organisation runs market research, clinical studies, or data-driven product development, the research exemptions that previously applied only to academic or public-interest work may now be available to you.

Children's Online Services

The DUAA introduces explicit obligations for services likely to be accessed by children. Those services must now take account of specified "children's higher protection matters" when processing personal data, assessing whether data practices provide appropriate safeguards for younger users and clearly explaining in privacy notices how children's data is collected and used.

The requirement sits alongside the existing Age Appropriate Design Code (the Children's Code). If you're already compliant with the Children's Code, you're likely most of the way there, but review whether the DUAA's framing introduces any additional obligations around transparency and the documentation of child-specific processing decisions.

International Data Transfers: Relaxed Standard

The DUAA replaces the "essentially equivalent" standard for international transfers with a less demanding "not materially lower" test. The government has signalled no immediate plans to approve transfers to new countries on the back of this change, and the EU's adequacy decision for the UK was renewed in December 2025, running through December 2031.

The growing divergence between UK and EU transfer rules is worth tracking. Organisations with cross-border data flows should keep a watching brief, particularly given the EU Commission's conclusion that the UK framework remains essentially equivalent. That conclusion is not guaranteed to hold indefinitely as the two regimes continue to drift apart.

What This Means for Your Compliance Programme

For most organisations, the DUAA's practical effect falls across four areas:

1. Reduced LIA obligations for fraud prevention, IT security, and direct marketing activities
2. Simpler DSAR responses under the proportionate search standard
3. Revised cookie strategies for analytics and functionality cookies
4. New internal complaint-handling processes required before June 2026

If you operate across both the UK and EU, don't carry DUAA changes into your EU-facing operations. The EU GDPR applies in full there, and the divergence between the two regimes is most pronounced in automated decision-making and international transfers.

Use UniConsent to Stay Compliant with UK Data Protection Rules

The DUAA changes what you need to show regulators, when you need to show it, and what counts as a valid consent signal. UniConsent handles cookie categorisation, consent logging, and audit trails so your compliance posture keeps pace with the rules, not just with your last review cycle.

If you're working through the DUAA's implications, start here:

• Review your cookie categories: Use the UniConsent Cookie Scanner to check which cookies on your site now fall under the exempt categories and which still require consent.
• Update your privacy notice: Reflect the changes to lawful bases, purpose limitation, and your complaint-handling process.
• Prepare for June 2026: Build the process for acknowledging and responding to consumer complaints before the deadline, not after.
• Audit your DSAR workflow: Document what a reasonable and proportionate search looks like for your specific data environment.
• Check your automated processing: If special category data is involved in any automated decisions, verify your safeguards are still fit for purpose under both UK and EU rules.

About UniConsent

UniConsent is a certified Consent Management Platform (CMP) by the EU IAB and IAB Canada. It's also a Google-certified CMP Partner at the Gold tier. Contact us to learn more: hello@uniconsent.com