The UK’s data protection landscape has taken a significant step forward with the Data Use and Access Act 2025 (DUAA) receiving Royal Assent in June 2025. For marketers, this represents the most substantial change since the introduction of the UK General Data Protection Regulation (UK GDPR) in 2018.
While the DUAA does not overhaul existing data laws, it introduces important clarifications, new flexibilities, and some fresh responsibilities – all of which will impact how marketing teams collect, use, and protect personal data.
Key Updates from the Data Use and Access Act
1. Updated Cookie Consent Requirements
Cookie management is simplified: certain cookies, especially those used for statistical purposes, may be set without explicit consent, improving user experience and data collection.
2. Soft Opt-in Extended to Charities
Charities can now send marketing emails to individuals who have previously donated or shown interest, without needing separate consent – provided a clear opt-out is offered. The Fundraising Regulator provides guidance on the soft opt-in for charities.
3. Data Protection Complaints Procedures
A formal complaints procedure is now mandatory. Organisations must acknowledge complaints within 30 days and respond without undue delay, requiring a review of internal complaint-handling processes.
4. Children’s Data Requirement for Online Services
If your organisation provides an online service likely to be accessed by children, the DUAA introduces a new legal obligation to consider their best interests when deciding how to use their personal information. This applies regardless of whether the service is directly targeted at children. If you already comply with the Age Appropriate Design Code (AADC), you’re likely meeting this standard. If not, a review of your design, privacy controls and data usage may be required.
5. Legitimate Interest as a Lawful Basis
The DUAA introduces recognised legitimate interests as a lawful basis for data processing, which could simplify compliance in many scenarios – particularly in marketing. It also provides a harmonised definition of direct marketing across the UK GDPR, Privacy and Electronic Communications Regulations (PECR), and Data Protection Act 2018, reducing ambiguity and helping organisations apply consistent standards across all marketing channels.
6. ICO’s Increased Powers
The Information Commissioner’s Office (ICO) gains stronger enforcement powers, including the ability to issue fines up to £17.5 million or 4% of global turnover for breaches.
What Does This Mean for Your Organisation?
- Review your data collection and consent practices in light of the DUAA’s recognition of legitimate interests as a lawful basis for marketing, and the updated cookie rules that clarify when cookies – especially for analytics or statistical purposes – can be used without explicit consent.
- Review your privacy notices and internal policies if you plan to adopt any of the DUAA’s new provisions – such as relying on recognised legitimate interests, applying the soft opt-in for charities, or updating your cookie practices. Changes to how you process personal data should be clearly reflected to maintain transparency and compliance.
- Ensure your complaint procedures are clear, accessible, and timely and that your staff understand the 30-day requirement.
- For charities: review fundraising communications to take advantage of the new soft opt-in provisions.
- Train your team on the new rules and opportunities to maintain compliance and build trust.
What’s Next?
Most provisions of the DUAA will be rolled out gradually over the next 6 to 12 months. It’s important to prepare now by updating your data practices, monitoring official guidance, and ensuring your teams are trained.
For clarity on any of the terminology used above, you may find it useful to visit the government’s fact sheet dated 27 June 2025. Keep an eye out for upcoming ICO resources, including new data protection impact assessments, especially relevant as new technologies like AI become more widespread.
Final Thoughts
The DUAA is more than just a compliance update – it represents an opportunity for marketers to innovate responsibly, build customer trust, and drive growth in a data-driven world.
As Information Commissioner John Edwards said: “The Data [Use and Access] Act 2025 gives organisations using personal information new and better opportunities to innovate and grow in the UK and further enhances our ability to balance innovation and economic growth with strong protections for people’s rights.”
Marketers who act early, communicate transparently, and prioritise customer interests will thrive under this new data landscape.
Book a free 20-minute marketing consultation with APM or contact us to find out more on tel: 07963 002065 or email: hello@alisonpagemarketing.co.uk.
Latest posts by Alison Page (see all)
- Ideas Fest 2025: Business Inspiration on Our Doorstep – September 17, 2025
- The Importance of Local SEO for SMEs – August 11, 2025
- Data Regulation Gets an Update – What the New UK Data Act Means for Your Business – July 8, 2025