Summary
- The DUAA introduces significant penalties for PECR breaches, aligning fines with UK GDPR levels at up to £17.5 million or 4% of global annual turnover.
- Businesses must update their approach to legitimate interests, children’s online services, automated decision-making, and cookie consent under the new rules.
- Charities gain a new email marketing exception, whilst all businesses face stricter data subject rights obligations and research processing safeguards.
- This article is a plain-English guide to the Data Use and Access Act 2025 (DUAA) for UK business owners, covering key compliance obligations under updated data protection and direct marketing law.
- It has been produced by LegalVision, a commercial law firm that specialises in advising clients on data protection, privacy, and information technology law.
Tips for Businesses
Review your direct marketing practices against the new PECR penalty regime. Update privacy policies to reflect recognised legitimate interests. If your services reach children, audit your privacy-by-design measures. Check that automated decision-making processes meet the new safeguards. Charities should assess eligibility for the email marketing exception.
The Data Use and Access Act 2025 (DUAA) is a UK statute that updates personal data and direct marketing rules under existing data protection legislation. It builds on current law while introducing targeted changes that affect how businesses collect, process, and use personal data. This article highlights the key changes that small and medium-sized businesses in the UK need to be aware of.
What is the DUAA?
The Data Use and Access Act 2025 (DUAA) is new legislation that updates personal data and direct marketing rules. While it largely builds on existing laws, the DUAA introduces key changes that businesses must understand to remain compliant.
This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.
Key Changes for Businesses
1. Significant Penalties for PECR Breaches
Previously, PECR breaches, such as unlawful direct marketing, had lower penalties. Now, businesses face fines of up to the greater of £17.5 million or 4% of their global annual turnover for PECR violations.
This is because the Information Commissioner’s Office’s (ICO) enforcement powers under Privacy and Electronic Communications Regulations (PECR) have been aligned with those of the UK General Data Protection Regulation (UK GDPR). This brings PECR penalties in line with those under the UK GDPR.
This change particularly affects businesses engaged in:
- email marketing;
- SMS marketing;
- cold calling; and
- using non-essential cookies on their website.
2. New Legitimate Interests Gateway
The DUAA introduces a new lawful basis for processing personal data, known as “recognised legitimate interests”. It provides examples of processing that may qualify as legitimate interests. The DUAA also adds other examples you can use when establishing a lawful basis, such as:
- direct marketing activities;
- internal group company data transfers of personal data (whether relating to clients, employees or other individuals) for administrative purposes; and
- processing necessary for the purposes of ensuring the security of network and information systems.
This offers clearer guidance on when you can rely on legitimate interests. However, businesses must still conduct balancing tests and consider individuals’ rights.
3. Enhanced Protection for Children Online
New requirements specifically protect children using online services. If you provide “information society services” such as websites likely to be accessed by children, you must:
- consider how children can best be protected when using their services;
- account for children’s different needs at different ages and developmental stages; and
- recognise that children may be less aware of data processing risks and their rights.
You must therefore prioritise the privacy of children when designing your systems and procedures.
4. Changes to Data Subject Rights and Time Limits
Several changes affect how you handle data subject requests. However, this mainly formalises the guidance previously issued by the ICO.
| Change | Details |
|---|---|
| Extended Time Limits | You can now extend response times by up to two months (from one to three months in total) if the requests are complex or numerous, as long as you notify the data subject within the original one-month period. |
| Reasonable Search Requirements | You are only required to provide information that can be obtained through “reasonable and proportionate” searches, which gives you clearer boundaries on what is expected. |
| Legal Professional Privilege | There is now an exemption that protects legally privileged information from being disclosed in response to data subject requests. |
5. Automated Decision-Making Rules
The DUAA updates the rules around automated decision-making, introducing more detailed requirements. As a business, you must be aware of any decisions made about a person using automated processing. Three of the key changes include:
- “Significant decisions” are redefined as those with legal effects or similarly significant impacts.
- New safeguards must be implemented before making decisions using automated processing. This includes providing information about automated decisions and enabling human intervention.
- Special restrictions apply to decisions based on special category data.
6. Research and Statistical Processing
New safeguards apply when processing personal data for research, archiving, or statistical purposes. These include:
- processing must be necessary and cannot cause substantial damage or distress;
- technical and organisational measures like pseudonymisation are required; and
- specific protections apply for different types of research.
7. Cookie and Terminal Equipment Rules
The DUAA introduces exceptions to the consent requirement before storing information on users’ devices (such as through cookies). These include:
- a detailed list of exceptions to the basic prohibition on using cookies, which remains in place;
- clear consent requirements remain, but now allow various mechanisms, including browser settings;
- new exceptions allow cookies without consent for strictly necessary functions (e.g., security, fraud prevention, authentication), statistical purposes (with opt-out available), and website functionality enhancements (with simple objection mechanisms); and
- the rules now explicitly cover mobile applications and all information society service platforms, not just websites. One-time consent is sufficient for repeated use of the same network for identical purposes.
8. Charity Email Marketing Exception
If you are a charity, a new exception allows you to send direct marketing emails if:
- the sole purpose is furthering charitable purposes;
- contact details were obtained when recipients expressed interest in or supported those purposes; and
- recipients can easily opt out.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
What Businesses Should Do Now
- Review PECR compliance: With the significantly higher penalties, ensure your direct marketing practices fully comply with PECR requirements.
- Update privacy policies: Check if the new legitimate interests examples apply to your processing and update your documentation accordingly.
- Assess children’s services: If your online services might be accessed by children, review your privacy-by-design measures and consider adding further protections.
- Review automated systems: Verify that your automated decision-making processes comply with the new requirements and implement the necessary safeguards.
Key Takeaways
While the DUAA does not overhaul UK data protection law, it introduces important adjustments you must consider. The alignment of PECR penalties with UK GDPR levels is particularly significant and should prompt you to carefully review your direct marketing compliance. Assess your current practices against these new requirements and seek professional advice if needed to ensure ongoing compliance.
If you are a business owner looking to understand the impact of the DUAA on your data practices, our experienced Data, Privacy and IT Lawyers can assist you as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The DUAA aligns PECR penalties with UK GDPR, meaning businesses now face fines up to £17.5 million or 4% of global annual turnover for breaches involving email marketing, SMS, cold calling, or non-essential cookies.
Businesses must implement safeguards before making automated decisions, provide individuals with information about those decisions, enable human intervention, and apply special restrictions when processing special category data.
The DUAA introduces new exceptions allowing cookies without consent for strictly necessary functions, statistical purposes, and functionality enhancements, while extending the rules to cover mobile applications alongside websites.
Yes, charities can email contacts without prior consent if the sole purpose furthers charitable aims, recipients previously expressed interest or support, and a clear opt-out mechanism is provided.
We appreciate your feedback! Request your free consultation now.
