The Data (Use and Access) Act 2025 (DUAA) introduces major changes for UK marketers, effective from 5 February 2026, with additional updates starting 19 June 2026. Key updates include stricter penalties, enhanced consumer rights, and new rules for cookies, automated decision-making (ADM), and legitimate interests. Here’s what you need to know:
- Penalties: PECR fines now match UK GDPR levels, capped at £17.5 million or 4% of global turnover, up from £500,000.
- Consumer Rights: From 19 June 2026, organisations must acknowledge data complaints within 30 days and resolve them within three months.
- Cookies: Consent is no longer required for "low-risk" cookies, such as analytics or security-related cookies, but opt-out options must be clear.
- Automated Decision-Making: ADM is now allowed for non-sensitive data under any lawful basis, provided safeguards like human intervention are in place.
- Legitimate Interests: Direct marketing is recognised as a legitimate interest, but a full Legitimate Interest Assessment (LIA) is still required.
These updates mean marketing teams must prioritise compliance while leveraging opportunities like AI-driven personalisation and expanded cookie exemptions. The changes also demand updated privacy notices, complaint-handling processes, and ongoing staff training to meet new legal standards. To stay ahead of these regulatory shifts, marketing leaders can attend free digital webinars for expert-led compliance strategies.
UK Data Privacy Law Changes 2026: Before and After DUAA Comparison
New Rules: A look at UK Data Protection Reform
Major Updates from the Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 (DUAA) was introduced in two phases. Most of its provisions came into effect on 5 February 2026, with the statutory complaints process following on 19 June 2026. This phased rollout required quick adjustments while leaving room to prepare for further changes. The gradual implementation has set the groundwork for more detailed updates.
The Act introduces three key changes that directly affect how marketing teams operate. First, it loosens restrictions on automated decision-making for non-sensitive data, enabling more AI-driven personalisation. Second, it extends the "soft opt-in" rule to charities, allowing them to market to existing supporters without requiring prior consent. Third, it simplifies cookie rules, as outlined below.
Recognised Legitimate Interests for Marketing
One of the standout changes is the introduction of recognised legitimate interests. The DUAA adds a new lawful basis under Article 6(1)(ea) of the UK GDPR, termed "recognised legitimate interests". While the Act specifies five areas like crime prevention and safeguarding, it also includes a broader, non-exhaustive list of activities that may qualify. Notably, direct marketing and intra-group administrative data sharing are part of this list.
However, recognised legitimate interests don’t bypass the need for a Legitimate Interest Assessment (LIA). Marketing teams must still conduct a full LIA, including a balancing test, for direct marketing campaigns. While the Act acknowledges these activities as potentially valid, it doesn’t eliminate the requirement to ensure they don’t override individual rights.
Changes to ePrivacy and PECR
The DUAA simplifies cookie regulations, removing the consent requirement for "low-risk" cookies. These include cookies used for web analytics, service appearance (like language preferences), and security or fraud prevention. Organisations must still provide clear, cost-free opt-out options for users.
The financial stakes for non-compliance have also risen sharply. PECR fines now align with UK GDPR levels, increasing by 3,400% – from a cap of £500,000 to £17.5 million or 4% of annual global turnover, whichever is higher. This makes cookie and direct marketing compliance a critical issue for boards.
"Businesses should consider the increased PECR fines when assessing their compliance with cookies and direct marketing practices." – Clifford Chance
Charities also gain from the extended "soft opt-in" rule, which allows them to send marketing emails to existing supporters without explicit opt-in consent. A clear unsubscribe option must still be provided.
| Provision | Before | After DUAA |
|---|---|---|
| Cookie Consent | Consent required for most cookies | Exemptions for analytics, appearance, and security |
| PECR Fines | Capped at £500,000 | Up to £17.5m or 4% of annual global turnover |
| Charity Marketing | Explicit opt-in often required | "Soft opt-in" (opt-out) now allowed |
In addition to these changes, the Act revises rules on automated decision-making.
Automated Decision-Making and AI in Marketing
Restrictions on automated decision-making (ADM) for non-sensitive data have been lifted under the DUAA. Previously, solely automated decisions with significant effects were largely prohibited unless based on contract or consent. Now, marketers can use ADM for personalisation and profiling based on any lawful basis, including legitimate interests, as long as safeguards are in place.
These safeguards include informing individuals about the automated process, offering the option for meaningful human intervention, and allowing individuals to challenge the decision. This opens up opportunities for AI-driven tools like personalised recommendations or dynamic pricing, while still protecting consumers.
"The prohibition on ADM has been lifted except for where special category data are involved. For non-sensitive data, this enables organisations to rely on other lawful bases, such as legitimate interests… to carry out ADM." – Travers Smith LLP
It’s also important to note that the UK and EU now differ in their approaches to ADM. A compliance strategy that meets UK requirements won’t necessarily align with EU GDPR, so businesses operating in both regions will need separate frameworks.
Enhanced Consumer Rights and Compliance Duties
The DUAA introduces strengthened consumer rights for handling complaints and accessing personal data. Starting 19 June 2026, individuals will have a legal right to lodge complaints directly with data controllers about the handling of their personal data. Organisations must acknowledge these complaints within 30 days and aim to resolve them within three months, as interpreted by the ICO. This applies to all data protection-related complaints, regardless of how they are submitted – whether through social media, customer service chats, or other channels. These updates highlight the need for robust compliance systems to manage these responsibilities effectively.
Marketing teams face a nuanced challenge here: not all complaints will be explicitly flagged as "data protection issues." For instance, a tweet about unsolicited emails or a message on Instagram raising concerns about data use still qualifies as a formal complaint. This means frontline staff and social media teams need proper training to identify and escalate such issues promptly. Moreover, third-party marketing agencies acting as processors must be contractually required to forward any complaints to the controller immediately.
Complaint Handling Requirements
The 30-day acknowledgment period begins the day after a complaint is received, regardless of weekends or holidays. Many organisations are turning to automated email responses for electronic complaints to ensure they meet this deadline consistently. Following acknowledgment, a substantive response must be provided as soon as possible, with the ICO suggesting a three-month resolution target for most cases.
"An organization that has failed to implement an appropriate complaints process risks becoming the subject of a complaint to the ICO… valuable ammunition for a disgruntled data subject." – James Castro-Edwards, Counsel, Arnold & Porter
To stay compliant, organisations should maintain a central log that tracks key details such as the date a complaint was received, acknowledgment, investigation actions, and the final outcome. The ICO’s data shows an increase in complaints, with 42,881 received in 2024–25 compared to 39,721 the previous year. High complaint volumes may draw regulatory attention, making an efficient process essential.
Data Subject Access Requests and Verification
The DUAA also brings changes to how Data Subject Access Requests (DSARs) are handled, aiming to balance streamlined compliance with data security. A new "stop the clock" provision pauses the one-month DSAR deadline during identity verification. Organisations can focus their searches on systems most likely to contain the requested data, following a reasonable and proportionate approach.
This means marketing teams no longer need to search every system exhaustively. Instead, efforts should align with the volume of data held and available resources, concentrating on areas where relevant information is most likely stored.
| Requirement | Timeline | Key Action |
|---|---|---|
| Complaint Acknowledgment | Within 30 days | Use automated responses for electronic submissions |
| Complaint Resolution | Without undue delay (target: 3 months) | Keep a detailed log of investigation steps |
| DSAR Response | 1 month (pauses for verification) | Request identity verification at the outset if needed |
| DSAR Search Scope | Reasonable and proportionate | Focus searches on systems likely to hold relevant data |
sbb-itb-3297dc6
How Marketers Can Achieve Compliance
With the recent DUAA updates, marketing teams need to act fast to align with the new requirements. The changes focus on three main areas: privacy documentation, tracking, and assessments of lawful bases. The stakes are high – by 19 June 2026, complaints procedures must be in place, and penalties for breaching PECR have risen to £17.5 million or 4% of global turnover. Here’s how to integrate these changes into everyday marketing operations.
Updating Privacy Policies and Notices
Privacy notices now need a clearly visible link to your complaints process, detailing how data protection concerns are addressed. This became a statutory requirement in June. If you use automated decision-making, your notices must explain the logic behind the algorithms, as well as their significance and potential impact. Interestingly, 73% of shoppers say they prefer brands that handle email data transparently, so this is a chance to build trust while staying compliant.
Make sure your Records of Processing Activities (ROPAs) reflect any reliance on recognised legitimate interests. Charities, for example, should update their notices to clarify that the "soft opt-in" now extends to donors and supporters, while also providing a clear opt-out option. Additionally, create a complaints form that includes automated responses to ensure you meet the 30-day acknowledgment deadline.
Reviewing Cookie Consent and Tracking Practices
Cookie banners are another area requiring immediate attention. The "Reject All" button must now be as prominent as the "Accept All" option. Non-compliance carries financial risks equivalent to those under the UK GDPR, as outlined in the DUAA framework. Marketing and tracking cookies still require prior, informed consent obtained through a clear, affirmative action.
Users must also be able to withdraw consent as easily as they gave it – think of features like a permanent settings icon. If you embed external content like videos or chatbots, configure them with privacy in mind and inform users if these tools rely on non-exempt storage technologies. The ICO suggests obtaining renewed consent every two years for these storage and access technologies.
Conducting Legitimate Interest Assessments
Legitimate interest assessments (LIAs) are more critical than ever. While direct marketing is now explicitly listed in the updated Article 6(f) of the UK GDPR as a legitimate interest, it is not a "recognised" legitimate interest. This means marketers must still complete a full three-part LIA: the purpose test (identifying the legitimate interest), the necessity test (proving the processing is necessary), and the balancing test (ensuring individual rights aren’t overridden by business interests).
"The print community identified legal certainty around use of legitimate interests as a critical priority… If brands feel confident that they can now use third party data based on legitimate interests for customer acquisition campaigns… then a period of sustained growth could be in the offing." – Chris Combemale, Director of Policy and Public Affairs, DMA
When documenting the "Purpose" section of an LIA, make sure to reference the DUAA 2025/UK GDPR Article 6(f) amendments. Properly documented assessments could unlock over £500 million in investment across the UK marketing supply chain, but only if the process is thorough and transparently summarised in your privacy policy.
Training Marketers Through Digital Apprenticeships
Compliance isn’t something you can simply tack on later. With the statutory right to lodge complaints coming into effect on 19 June 2026 and PECR fines reaching up to £17.5 million or 4% of global turnover, marketing teams need ongoing, structured training to spot and address data protection issues before they escalate. Complaints can emerge from any channel, and staff must recognise and log them within 30 days. Proper training helps reinforce the compliance measures discussed earlier.
"Training will be essential as complaints can be made to anyone at the organisation or via social media. Staff should be supported to recognise what a data protection complaint might look like in practice – particularly when it is not labelled as such." – Andrew Fremlin-Key, Partner, Withers LLP
Government-funded apprenticeships offer a practical way to integrate compliance into marketers’ daily workflows. These programmes teach marketers how to apply safeguards to Automated Decision-Making (ADM), meet the new "not materially lower" standard for international transfers, and navigate the expanded legitimate interests framework – all while creating effective campaigns. Digital apprenticeships provide the structure needed to embed these critical skills.
NowSkills Digital Marketing Apprenticeships
NowSkills offers Level 3 and Level 4 digital marketing apprenticeships that combine practical marketing training with essential data privacy knowledge. These programmes cover updates from DUAA 2025, including how to:
- Document recognised legitimate interests.
- Implement ADM transparency requirements.
- Manage the expanded cookie exemptions for statistical and appearance-related tracking.
- Handle Data Subject Access Requests (DSARs) under the updated "reasonable and proportionate" search standards.
- Prepare for the June 2026 complaints deadline.
The Level 4 programme takes it a step further by incorporating AI literacy. With the Information Commissioner’s Office focusing on systems that lack meaningful human oversight, marketers are trained to map data flows across AI supply chains and configure tools with privacy by design. Apprentices also gain hands-on experience auditing live campaigns, reviewing consent mechanisms, and updating privacy notices in real time.
These apprenticeships, combined with tailored employer programmes, ensure teams are continually improving and staying ahead of compliance challenges.
Supporting Employer Workforce Development
NowSkills collaborates with businesses to recruit new talent or upskill existing marketing teams through government-funded programmes. This approach allows companies to build capable, future-ready teams without upfront training expenses. Training is flexible – offered both online and in person – and tailored to address specific compliance needs, such as cookie banner reviews, legitimate interest assessments, or creating effective complaint logs.
Investing in training doesn’t just mitigate risks; it also opens doors to new opportunities. Privacy-focused marketing isn’t only about avoiding penalties – it builds the trust that drives conversions and fuels long-term growth. By embedding compliance into apprenticeship frameworks, businesses can develop teams that confidently meet data protection requirements while delivering impactful marketing campaigns.
Conclusion
The Data (Use and Access) Act 2025 has reshaped how UK marketers approach compliance. Under this updated framework, fines can now reach £17.5 million or 4% of global turnover, and complaints must be addressed within 30 days before escalating to the ICO. With the 19 June 2026 deadline for mandatory complaints handling, marketing teams face added pressure to acknowledge and resolve disputes quickly and efficiently.
In addition to compliance changes, the introduction of the "recognised legitimate interests" framework and more flexible rules around automated decision-making open up opportunities for AI-driven personalisation and analytics. However, success in these areas hinges on implementing safeguards and maintaining transparency. The adjustment from "essentially equivalent" to "not materially lower" standards for international data transfers also simplifies global campaign management, giving marketers more room for strategic innovation.
"Privacy-led marketing tends to be better marketing. Trust isn’t fluffy – it’s conversion fuel." – Clwyd Probert, CEO, Whitehat
To thrive under these new regulations, ongoing training is essential. Continuous learning ensures that teams stay compliant while adapting to the evolving landscape. With consumers increasingly valuing transparency, privacy is no longer just a legal requirement – it’s a competitive edge. Investing in structured training, such as government-funded apprenticeships that integrate data protection into daily operations, equips marketers to build trust and create campaigns that deliver results.
FAQs
Which cookies are considered ‘low-risk’ under the DUAA, and what opt-out is required?
Under the DUAA, cookies classified as ‘low-risk’ – such as those used for analytics or functional purposes – do not require explicit user consent. However, for strictly necessary cookies, while consent isn’t mandatory, organisations are still obligated to provide clear and accessible information about all cookie types in use. To comply with the opt-out requirement, businesses must ensure their privacy or cookie policies transparently explain how cookies are used, making it straightforward for users to understand their options and make informed decisions.
How can marketers use automated decision-making without violating the new safeguards?
Marketers preparing for the 2026 safeguards need to align with the UK Data (Use and Access) Act 2025. This involves a few critical steps:
- Transparency: Clearly inform individuals when automated decisions are made and provide explanations about how these decisions work.
- Data Protection Impact Assessments (DPIAs): Conduct these assessments to evaluate risks and ensure data handling is compliant.
- Documentation: Keep thorough and accurate records of data processing activities.
Additionally, relying on recognised legitimate interests can make compliance more straightforward, as long as you prioritise both transparency and accountability throughout the process.
What do we need to change to meet the new 30-day data complaint deadline?
Organisations in the UK must prepare for the updated 30-day data complaint deadline, which comes into effect on 19 June 2026 under revised data protection laws. To comply, businesses need to establish a formal process for handling complaints. This involves promptly acknowledging any complaints and ensuring they are investigated and resolved within the 30-day timeframe. Clear and structured procedures will be essential to manage these requirements effectively and avoid potential compliance issues.
