The UK has passed the Data (Use and Access) Act 2025 (the act). This serves as an amendment to its General Data Protection Regulation and is aimed at streamlining its (UK GDPR) requirements. The law applies to businesses subject to the UK GDPR and/or the Privacy and Electronic Communications Regulations 2003 (PECR). Companies and consumers are presently assessing the scope and impact of its provisions, which will undoubtedly affect data management and privacy rights.
Overview
There are several provisions relating to consumers’ ability to manage and protect their personal data.
First, the DUAA changes the standard for companies processing personal data. Before the DUAA’s enactment, companies were held to the ‘legitimate interest’ standard. However, the act now requires companies to demonstrate a ‘recognised legitimate interest’. This is defined to include processing: (i) necessary for national or public security purposes; (ii) necessary to protect vulnerable individuals; (iii) necessary for the detection, investigation or prevention of crime; or (iv) to respond to requests made by entities acting in the public interest. The Information Commissioner’s Office (ICO) will be providing guidance in the coming weeks to inform the scope and impact of these changes. While the full scope of this change remains to be seen, at a minimum the act maintains the data processing protections contemplated by the UK GDPR.
The act also clarifies prior regulation regarding web cookies. Specifically, it permits companies to utilise certain cookies without obtaining explicit consent. While this change could pose some concern for consumers, the act’s narrow language and seemingly limited application will likely maintain consumer control over their data and continue to require companies to seek consent for the use of cookies in most instances. The act only carves out a handful of cookies from the consent requirement. These are cookies (i) that are limited to collecting analytical or statistical data about use of a service (e.g. number of clicks on webpage); (ii) used to identify device location for emergency services purposes; and (iii) that improve the functionality of a website (e.g. prompting websites to appear in native languages).
The act also provides guidance on the limited situations in which entities can use personal data for purposes beyond those for which the data was originally collected. This provision is promising for consumer privacy, in that these instances are limited – allowing entities to reuse personal data for research or analytics purposes, or investigating or preventing crime. Thus, the act continues to maintain the control that the UK GDPR intended to provide consumers over their personal data.
Most notably, the act significantly expands the enforcement mechanisms available to the ICO, now known as the Information Commission (IC). This includes allowing the IC to engage in regulatory acts, such as requiring entities to prepare investigation reports regarding data security issues, such as unauthorised data access incidents. The act also empowers the IC to seek documents and testimony as part of its investigations and regulatory reviews, including the ability to seek documents or call witnesses for interviews.
Supporting consumer rights
In addition to maintaining the UK GDPR’s data management and privacy protections for consumers, the act expands consumers’ rights to demand information and, in some cases, action by companies collecting and using their personal data.
First, beginning on 19 June 2026, consumers will have the right to lodge complaints directly with entities in control of their data to raise data management and privacy concerns, including complaints of data breaches or unauthorised access. Companies subject to the act will be required to make complaint forms available to consumers and must provide a response to the complaint within 30 days.
The act also instructs companies to evaluate additional protections for children online, including implementing child safety features and explicitly clarifying any collection and use of children’s personal data. This is particularly important given the rise of US lawsuits and reports highlighting the risks that social media poses to children’s mental health and safety.
In addition to codifying consumer data privacy protections, the act may also provide consumers with a basis for legal action and enforcement of their privacy rights. The IC’s increased regulatory power and forthcoming guidance on various provisions of the act will spotlight data compliance failures and privacy violations. With this information, consumers will be better able to pursue collective or mass actions for claims, such as loss of control of data. These efforts will be further supported by consumers’ ability to file complaints directly with companies to receive information about their personal data and more fully understand the scope of the uses of their personal data and any data protection failures.
Conclusion
The act marks an evolution in the UK’s data protection landscape, refining existing GDPR-based protections and expanding both regulatory oversight and consumer empowerment. Although many of its practical effects will depend on guidance from the IC, the act largely preserves the core privacy principles familiar to UK consumers. By clarifying data processing standards, tightening rules around secondary data use, and strengthening avenues for consumer complaints and enforcement, the act positions itself as a modernisation effort rather than a departure from established rights.
Carol C. Villegas is a senior partner and Danielle Izzo Mazzeo an associate at Labaton Keller Sucharow LLP
No comments yet