12/09/2025
The Data (Use and Access) Act 2025 (DUA Act) is a large and complex piece of law, containing 144 sections and 16 Schedules.
It amends, rather than replaces, UK GDPR and the Data Protection Act 2018, meaning businesses need to prepare for adjustments, not a wholesale rewrite of compliance.
The DUAA doesn’t replace GDPR or the Data Protection Act 2018, but it does add new rules and raise the stakes for compliance. Here are the essentials for small businesses:
- Cookies and website tracking
Some lower-risk cookies (like basic analytics or site optimisation) may be allowed without consent, but you’ll still need to review your cookie banner to provide clear opt-outs. - Complaints process
From June 2026, every business must provide a way for customers to complain about data use. You’ll need to acknowledge within 30 days and respond without undue delay, so think about adding a form or contact option on your website and keeping a log of complaints. - Children’s services
If children could use your products or services, you’ll need to show “data protection by design”, stronger protections in how you collect and use their data. Remembering to tailor privacy notices to children. - Marketing and legitimate interests
The Act confirms that direct marketing can be a legitimate interest, and charities can rely on the soft opt-in, but PECR rules still apply, so consents and opt-outs must be watertight. - Automated decisions and AI
Restrictions are loosened slightly for automated decisions that don’t use sensitive data, but safeguards (the right to know, challenge, and get human review) remain in place. The Secretary of State is expected to provide more guidance on AI in due course following the parliamentary debates on this. - Bigger fines for PECR breaches
The ICO can now issue UK GDPR-level fines (up to £17.5m or 4% of turnover whichever is the highest) for marketing and cookie law breaches, so email lists, unsubscribes, and banners all need to be compliant.
What’s Next?
Much of the detail will come through secondary legislation and ICO guidance over the next 12–24 months. Businesses should keep an eye on:
- The Secretary of State’s consultations on AI and transparency
- ICO guidance on cookies, complaints, and automated decision-making
- The next EU adequacy decision (expected late 2025), which will assess whether UK law remains aligned enough with EU GDPR to allow free data flows. The EU has published a draft decision confirming that UK data protection remains essentially equivalent to EU standards, with a proposal to extend the current adequacy arrangements beyond their 27 December 2025 expiry for a further six years.
What to Do Now, 3 Practical Steps
- Review your website, update cookie banners and privacy notices to prepare for the new DUAA rules
- Plan a complaints process, set up a simple log, draft an acknowledgement template, and ensure you can meet the 30-day acknowledgement rule
- Audit marketing practices, check consents, unsubscribe links, and soft opt-in use, especially if you are a charity or use direct marketing heavily
JH Data Protection Limited 
Leave a comment