The Data (Use and Access) Act 2025 (DUAA) became law in the UK on 19 June 2025, introducing important updates to UK data protection law
The changes aim to help businesses protect personal information while encouraging innovation and growth.
Key updates include
- clearer rules on using personal data for research
- relaxed restrictions on some automated decision making
- new provisions allowing certain cookies without consent
- changes for charities sending e-marketing mail without consent in specific cases
- requirement for organisations to have a data protection complaints procedure
- introduction of a new lawful basis recognised legitimate interests
The Information Commissioner’s Office (ICO) gains enhanced powers, including compelling witness interviews, requesting technical reports, and issuing fines up to £17.5 million or 4% of global turnover under the Privacy and Electronic Communications regulations.
Learn more about the data protection and privacy changes introduced by the new law.
The government will phase in the new law over the next 12 months via secondary legislation.
Next steps for organisations and businesses
To support organisations, the ICO has published
- summaries explaining the Act’s impact on businesses and law enforcement
- a detailed guide for data protection professionals
- a roadmap of forthcoming guidance and consultations
- a public guide on how the Act affects individuals
Find ICO resources on the DUAA changes.
The ICO recommends that businesses should
- review these resources on the DUAA
- ensure online services meet new requirements for children’s data
- prepare to support data protection complaints effectively
- consider how to leverage the Act’s provisions to innovate or streamline processes
You can also subscribe to the ICO newsletter for updates on guidance and implementation.
First published 1 July 2025
