Data Use and Access Act 2025: Key Privacy Law Changes for UK Businesses

The new Data Use and Access Act 2025 (DUAA) changes how businesses in the UK handle personal data. As a business owner, understanding these updates is crucial due to their broad impact, from handling customer information to marketing your products and services. The new Act amends existing legislation and carries serious consequences for non-compliance. This article highlights the key changes that small and medium-sized businesses in the UK need to be aware of.

What is the DUAA? 

The Data Use and Access Act 2025 (DUAA) is new legislation that updates personal data and direct marketing rules. While it largely builds on existing laws, the DUAA introduces key changes that businesses must understand to remain compliant.

Personal Data Breach Notification Factsheet

This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.

Download Now

Key Changes for Businesses

1. Significant Penalties for PECR Breaches

Previously, PECR breaches, such as unlawful direct marketing, had lower penalties. Now, businesses face fines of up to the greater of £17.5 million or 4% of their global annual turnover for PECR violations.

This is because the Information Commissioner’s Office’s (ICO) enforcement powers under Privacy and Electronic Communications Regulations (PECR) have been aligned with those of the UK General Data Protection Regulation (UK GDPR). This brings PECR penalties in line with those under the UK GDPR.

This change particularly affects businesses engaged in:

• email marketing;
• SMS marketing;
• cold calling; and
• using non-essential cookies on their website.

2. New Legitimate Interests Gateway

The DUAA introduces a new lawful basis for processing personal data, known as “recognised legitimate interests”. It provides examples of processing that may qualify as legitimate interests. The DUAA also adds other examples you can use when establishing a lawful basis, such as:

• direct marketing activities;
• internal group company data transfers of personal data (whether relating to clients, employees or other individuals) for administrative purposes; and
• processing necessary for the purposes of ensuring the security of network and information systems.

This offers clearer guidance on when you can rely on legitimate interests. However, businesses must still conduct balancing tests and consider individuals’ rights.

3. Enhanced Protection for Children Online

New requirements specifically protect children using online services. If you provide “information society services” such as websites likely to be accessed by children, you must:

• consider how children can best be protected when using their services;
• account for children’s different needs at different ages and developmental stages; and
• recognise that children may be less aware of data processing risks and their rights.

You must therefore prioritise the privacy of children when designing your systems and procedures.

4. Changes to Data Subject Rights and Time Limits

Several changes affect how you handle data subject requests. However, this mainly formalises the guidance previously issued by the ICO.

5. Automated Decision-Making Rules

The DUAA updates the rules around automated decision-making, introducing more detailed requirements. As a business, you must be aware of any decisions made about a person using automated processing. Three of the key changes include:

1. “Significant decisions” are redefined as those with legal effects or similarly significant impacts.
2. New safeguards must be implemented before making decisions using automated processing. This includes providing information about automated decisions and enabling human intervention.
3. Special restrictions apply to decisions based on special category data.

6. Research and Statistical Processing

New safeguards apply when processing personal data for research, archiving, or statistical purposes. These include:

• processing must be necessary and cannot cause substantial damage or distress;
• technical and organisational measures like pseudonymisation are required; and
• specific protections apply for different types of research.

7. Cookie and Terminal Equipment Rules

The DUAA introduces exceptions to the consent requirement before storing information on users’ devices (such as through cookies). These include:

• a detailed list of exceptions to the basic prohibition on using cookies, which remains in place; 
• clear consent requirements remain, but now allow various mechanisms, including browser settings;
• new exceptions allow cookies without consent for strictly necessary functions (e.g., security, fraud prevention, authentication), statistical purposes (with opt-out available), and website functionality enhancements (with simple objection mechanisms); and
• the rules now explicitly cover mobile applications and all information society service platforms, not just websites. One-time consent is sufficient for repeated use of the same network for identical purposes.

8. Charity Email Marketing Exception

If you are a charity, a new exception allows you to send direct marketing emails if:

• the sole purpose is furthering charitable purposes;
• contact details were obtained when recipients expressed interest in or supported those purposes; and
• recipients can easily opt out.

What Businesses Should Do Now

• Review PECR compliance: With the significantly higher penalties, ensure your direct marketing practices fully comply with PECR requirements.
• Update privacy policies: Check if the new legitimate interests examples apply to your processing and update your documentation accordingly.
• Assess children’s services: If your online services might be accessed by children, review your privacy-by-design measures and consider adding further protections.
• Review automated systems: Verify that your automated decision-making processes comply with the new requirements and implement the necessary safeguards.

Key Takeaways

While the DUAA does not overhaul UK data protection law, it introduces important adjustments you must consider. The alignment of PECR penalties with UK GDPR levels is particularly significant and should prompt you to carefully review your direct marketing compliance. Assess your current practices against these new requirements and seek professional advice if needed to ensure ongoing compliance.

If you are a business owner looking to understand the impact of the DUAA on your data practices, our experienced Data, Privacy and IT Lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page. 

Frequently Asked Questions

What is the new legitimate interests rule?

The DUAA provides clearer guidance on when businesses can use “recognised legitimate interests” for data processing.

What should businesses do with children’s online data?

Businesses must ensure that children’s data is protected and consider their specific online needs.