Introduction
The Data (Use and Access) Act 2025 (the “DUAA”) received royal assent last year with the aim of improving people’s lives, making processes easier for both users and businesses, and ultimately growing the economy. One of its key aims is to clarify UK data protection legislation to ensure current law is fit for our digital future.
The DUAA is being implemented in stages which broadly amends current UK data protection laws.
Data processing: ‘Recognised Legitimate Interests’
You must have a valid lawful basis to process personal information. Previously, there were six lawful bases for processing personal data; the DUAA has introduced a seventh: ‘recognised legitimate interests’. This basis allows lawful processing for one of the following pre-approved purposes:
- safeguarding national security, protecting public security and defence purposes;
- responding to an emergency;
- detecting, investigation or prevention of crime;
- disclosure to a controller that requires the personal data to carry out a public interest task or to exercise its official authority where the controller has requested that data; and
- safeguarding of vulnerable individuals.
Recommended Action: Review your privacy policy. If the new ‘recognised legitimate interests’ basis is relevant to your business and how you handle personal data, your privacy policy will need to be updated to include the appropriate wording.
Cookie Rules
The DUAA clarifies and narrows the consent requirements for a wider range of cookies under the PECR. Cookies used to collect information for statistical purposes or to improve the functionality of your website no longer require consent in certain circumstances.
Provided users are given clear information about the cookies (transparency) and a clear, free opt-out option, new exemptions to the consent requirement apply to:
- analytical/performance cookies (no consent required where used to improve services); and
- functionality cookies (no consent required where related to appearance or functionality).
It is worth noting that:
- consent is still required for targeting/advertising cookies; and
- as before, no consent is needed for strictly necessary/essential cookies.
The penalties for breaching cookie rules under PECR have also increased significantly. The most serious infringements can lead to a maximum fine of £17.5m or 4% of global annual turnover, whichever is higher.
Recommended Action: Carry out an audit of cookies used on your website and ensure your cookie banner accurately reflects the changes.
Data Protection Complaints
If you do not already have something in place, the DUAA requires you to take proactive steps in implementing and managing complaints about how you handle personal data. You will be required to offer a complaints form (whether electronic, by post or by phone), acknowledge complaints, and respond to them without undue delay. This new requirement comes into force on 19 June 2026.
Recommended Action: Ensure you have a DUAA-compliant complaints procedure in place and that all relevant staff are appropriately trained to handle complaints correctly. Update your privacy policy to include the information about your complaints process as required by the new law.
Other changes
- Scientific research. The DUAA broadens the permitted use of personal data for scientific research and statistical purposes.
- Automated decision-making. The new law narrows restrictions around the use of automated decision-making (“ADM”) in relation to the processing of special category (or sensitive) data under the UK GDPR. Provided certain safeguards apply, ADM processes can be used in decision making around special category data where certain conditions are met.
- Children’s protection. The DUAA codifies a requirement for controllers to explicitly consider children’s heightened protection needs when providing online services likely to be accessed by children. In such cases, it is advisable to use clear, child-appropriate language in your privacy notices, in line with the ICO’s age-appropriate design code, the ‘Children’s Code’.
Recommended Action: Visit the ICO website for further guidance on the changes brought by the DUAA, including checklists and other useful resources for businesses.
Get in touch
We are able to assist with the preparation of data protection complaint handling policies, privacy policies, privacy notices and data protection policies. If you want to find out more about the services we provide, or require data protection advice, please contact Rebecca Anforth (Legal Director) by email at rebecca.anforth@murrellslaw.com or Emily Eastburn-Pentreath (Trainee Solicitor) at emily.eastburn-pentreath@murrellslaw.com.
