The UK’s Data (Use and Access) Act 2025 (DUAA) comes into force on 5 February 2026. Before you worry about urgent compliance work, here’s the good news: in most cases, you probably don’t have anything that needs immediate action.
The reason is straightforward. Unlike regulatory changes that impose stricter requirements, the DUAA generally makes the rules more flexible rather than more demanding. Cookie consent requirements are being relaxed. A new lawful basis removes the need for balancing tests in certain situations. Subject access request handling gives organisations more control. These are changes that reduce burden, not add to it.
Of course, whether any of these changes affect your organisation depends on the data you collect and how you process it. We always recommend reviewing new legislation against your specific circumstances, and consulting with a data protection specialist if you’re uncertain. But this isn’t a situation requiring panic.
This article covers what’s changing, what stays the same, and the practical steps to consider.
What’s Changing on 5 February 2026
A New Lawful Basis: Recognised Legitimate Interests
The DUAA introduces a new lawful basis for processing personal data under Article 6(1)(ea) of the UK GDPR. Called “recognised legitimate interests,” this differs from the standard legitimate interests basis in one important way: no balancing test is required.
Under standard legitimate interests, organisations must weigh their processing needs against the rights of individuals. The new recognised legitimate interests removes this requirement for a specific list of purposes set out in a new Annex 1 to the UK GDPR:
- Safeguarding national security
- Protecting public security and defence
- Responding to emergencies
- Investigating crime
- Safeguarding vulnerable individuals
- Disclosures to public bodies carrying out public tasks
This basis is only available to private and third-sector organisations. Public authorities cannot rely on it.
What to do: Review your privacy notices and Records of Processing Activities (ROPAs). If any of your processing falls within these categories, you may be able to simplify your legal basis documentation.
Cookie Consent Gets More Flexible
The DUAA amends the Privacy and Electronic Communications Regulations 2003 (PECR) to expand the list of cookie uses exempt from consent. Five new exemptions now apply:
- Analytics cookies – for collecting aggregate statistics to improve services
- Security cookies – for fraud prevention and device security
- Functionality cookies – for enhancing service features
- Software update cookies – for delivering updates
- Interface customisation cookies – for tailoring user experience
The analytics exemption is particularly significant. If your sole purpose is collecting aggregate statistics to improve your website, you can now run analytics without consent. However, there are conditions: you must clearly explain the use and offer a simple, free way to opt out.
The ICO has been explicit that advertising-related activities sit outside these exemptions. Any cookie used for advertising purposes still requires consent.
What to do: Audit your cookie implementation. If you’re using analytics solely for service improvement (not advertising), you may be able to move from a consent to an opt-out model.
PECR Fines Now Match UK GDPR Levels
Until now, the maximum fine for PECR violations was £500,000. The DUAA changes this significantly. Cookie and e-marketing breaches can now attract fines of up to £17.5 million or 4% of worldwide annual turnover, whichever is higher.
The DUAA also expands who can be held liable. “Instigators” of cookie violations are now directly responsible alongside the service that places or reads the cookie. This pulls more AdTech participants into the ICO’s potential enforcement targets.
What to do: If you’ve been treating PECR compliance as lower priority than UK GDPR, that calculation has changed. The financial risk is now equivalent.
Changes to Data Subject Rights
Subject Access Requests
The DUAA gives organisations more flexibility when handling subject access requests (SARs). Controllers can now seek clarification when a request is broad and they hold large amounts of information about the requester.
When clarification is requested, the clock stops. The one-month response deadline pauses until the requester provides the information needed to fulfil the request.
The ICO published revised SAR guidance in December 2025 to reflect these changes.
What to do: Update your SAR handling procedures to include a clarification step. Train staff on when clarification is appropriate and how to document the clock-stopping period.
Automated Decision-Making
The rules around automated decision-making have been adjusted. Significant automated decisions no longer require explicit consent when special category data (such as health or ethnicity) isn’t involved.
Safeguards remain in place. You must still provide notice of automated decisions, offer a right to contest them, and provide human review on request. The change removes the consent requirement, not the protections.
What to do: Review any automated decision-making processes. If you’ve been relying on explicit consent as your legal basis and don’t process special category data, you may be able to proceed without it – provided your safeguards are robust.
Right to Complain (June 2026)
One change isn’t coming in February. The new right to complain, which allows data subjects to complain directly to controllers, comes into force on 19 June 2026.
When this takes effect, organisations must acknowledge complaints within 30 days and respond fully “as soon as possible.” This formalises what many organisations already do, but creates a specific legal requirement.
What to do: Use the next few months to establish a formal complaints procedure. Document your acknowledgment and response processes. Ensure you can track the 30-day deadline.
ICO’s Enhanced Powers
The ICO gains several new investigation and enforcement tools from 5 February 2026:
- Document production notices – The ICO can now require specific documents to be provided, not just categories of information
- Approved person reports – Power to require controllers to appoint an approved person to report on specified topics (such as forensic analysis of a data breach)
- Personnel interviews – Power to require employees or managers suspected of wrongdoing to attend interviews (with protection against self-incrimination)
The investigative powers can be used to examine conduct that occurred before the commencement date. However, the new enforcement powers generally only apply to conduct after 5 February 2026.
What to do: Brief your DPO and privacy team on the ICO’s expanded toolkit. This changes the dynamic of any regulatory engagement.
Your Preparation Checklist
For 5 February 2026:
- Audit privacy notices against new recognised legitimate interests in Annex 1
- Review cookie consent mechanisms and assess whether analytics exemption applies
- Update SAR handling procedures to include clarification process
- Review data transfer documentation (terminology has changed to “data protection test”)
- Ensure DPO and privacy team understand ICO’s new powers
For 19 June 2026:
- Establish formal complaints handling procedure
- Set up 30-day acknowledgment tracking
- Document response processes and escalation paths
The DUAA represents the UK’s first significant departure from EU GDPR since Brexit. Most changes aim to reduce administrative burden while maintaining fundamental protections.
