Key changes under the Data (Use and Access) Act

The Data (Use and Access) Act 2025 introduces a series of important reforms to the UK’s data protection framework, building on the existing UK GDPR and PECR regimes. These changes are designed to support innovation and practical data use, while strengthening protections for individuals and clarifying organisations’ responsibilities.

While some of the changes provide greater flexibility, others introduce new statutory obligations and expectations. Organisations should take the time to understand how these reforms apply to their activities and begin preparing for compliance ahead of implementation dates. We have prepared bitesize updates on some of the key changes below.

New data protection complaints rules

From 19 June 2026, organisations processing personal data must comply with a new statutory regime for data protection complaints, introduced under the Data (Use and Access) Act 2025.

This is arguably the most significant new obligation introduced by the act.

If your organisation processes personal data you must:

Provide a clear route to complain: This could be via an online complaints form, online portal or live chat function. Alternatively, you could provide designated contact details for data protection complaints.
Acknowledge complaints within 30 days: Receipt of a data protection complaint must be formally acknowledged within 30 days of receiving it. If you receive the complaint via electronic means, you could consider setting up automated acknowledgements to let the individual know that you are looking into their complaint.
Investigate and respond without undue delay: This involves making necessary enquiries as soon as possible, and keeping the complainant informed of progress.
Communicate the outcome without undue delay: Without undue delay means as soon as possible. Make sure you clearly explain what steps you have taken to resolve the complaint.

Key takeaways

We recommend implementing a complaints procedure and allocating roles and responsibilities ahead of 19 June.
Be ready to identify data protection complaints regardless of how they are communicated and whether or not they are labelled as a complaint.
The ICO encourages an internal review of data protection complaints, to establish ‘lessons learned' and prevent future complaints.

New rules for subject access requests

The Data (Use and Access) Act 2025 has introduced a number of clarifications and practical changes to the rules that apply when responding to a subject access request (SAR).

The key statutory updates are:

The right to ‘stop the clock’: It is now confirmed within statute that organisations may pause the response deadline if clarification is reasonably required in order to respond to a SAR. The clock remains paused until the clarification is received. Be ready to justify why the clarification was necessary.
‘Reasonable and proportionate’ searches: When responding to a SAR, organisations are only required to carry out reasonable and proportionate searches for personal data, rather than exhaustive searches. This was already confirmed within case law and guidance, but the act now gives this position a statutory footing. What is reasonable and proportionate will depend on factors such as the scale of the request, any challenges in identifying the requested information and also available resources.

Key takeaways

These changes will help organisations to manage SARs proportionately.
It will be increasingly important to keep comprehensive records and justify actions taken to clarify, search and respond to SARs.

New cookies rules

The Data (Use and Access) Act 2025 has updated UK rules on cookies and similar tracking technologies.

There is still a general prohibition on storing or accessing information on a user’s device unless they have provided consent, however there are now a greater number of exceptions to the prohibition.

The new exceptions are:

Cookies used solely for statistical purposes to understand how an online service is used.
Cookies used solely to adapt the appearance or functionality of a service to user preferences.
Cookies used solely to determine a user’s geographical location for emergency assistance.

Key takeaways

Organisations can improve website functionality and gain greater insight into how websites and applications are used, without obtaining consent.
Be aware that any cookies or tracking technologies with additional purposes, over and above those listed above, will not be able to benefit from the new exceptions.
Cookie banners and consent management tools remain central to compliance.

New rules for online services likely to be accessed by children

The Data (Use and Access) Act 2025 seeks to strengthen protection for children online by creating new rules for online services which are likely to be accessed by children.

The new rules bolster existing data protection by design obligations under the UK GDPR. The existing obligations require controllers to consider privacy implications and implement appropriate measures to protect personal data both when determining a new processing activity, and when carrying out the processing.

Under the new rules, providers of online services which are likely to be accessed by children need to take into account ‘children’s higher data protection matters’ when assessing what are appropriate measures to protect children’s personal data.

These ‘children’s higher protection matters’ are:

Considering how children can best be protected and supported when using the services.
Recognising that children require specific protection as they may be less aware of associated risks and consequences or their data subject rights.
Recognising that children have different needs at different ages and at different stages of development.

Key takeaways

Consider whether your online service is likely to be accessed by children.
Consult the ICO’s age appropriate design code. The ICO has confirmed that organisations should be compliant with the new rules if compliant with the code.
Review and update data protection impact assessments and strengthen age assurance mechanisms.

New ‘soft opt-in’ rules for charities

The Data (Use and Access) Act 2025 has amended the Privacy and Electronic Communications Regulations 2003 (PECR), to introduce new ‘soft opt-in’ rules available only to charities.

The new ‘soft opt-in’ rules allow charities to send electronic mail marketing (emails or texts) to individuals without their prior consent, provided all of the following requirements are met:

The charity has obtained the contact details directly from the individual, not a third party.
The charity has obtained the individual’s contact details in the course of the individual expressing an interest in, or offering support to, the charity’s purposes, for example if the individual makes a donation or signs up to volunteer.
The sole purpose of the marketing is to further the charity’s charitable purposes, not unrelated or commercial activities.
The charity provided an opportunity for the individual to opt-out when it first collected their contact details.
The charity provides an opportunity for individuals to opt-out in every subsequent communication, for example by including an unsubscribe link.

The new rules make it easier for charities to contact individuals who have previously supported or expressed an interest in the work of the charity.

Key takeaways

Consider updating personal data collection routes used only with those that are interested in or supporting your charitable purposes, to introduce a marketing opt-out.
Update privacy notices to explain how personal data will be used under the new ‘soft opt-in’ rules.
Maintain separate lists of individuals who you are relying on the ‘soft opt-in’ to contact, and those that you are contacting because they have consented to receive marketing.

Updated automated decision-making rules

The Data (Use and Access) Act 2025 increases the circumstances where organisations can make decisions that have legal or similarly significant effects on individuals based solely on automated processing (automated decision-making).

This change reflects the uptake in AI-driven decision making in recent years and is intended to promote innovation whilst preserving protection for individuals.

Previously, all automated decision-making was restricted unless it was necessary for the purposes of a contract with the individual, permitted by UK law or the individual had provided their consent. However, these restrictions have been removed for any automated decision-making which is not based on special category data.

This allows organisations to use automated decision-making, provided that they have a lawful basis for the processing and implement the following mandatory safeguards:

Inform impacted individuals about the automated decision
Provide individuals with the opportunity to make representations about or challenge the automated decision
Offer meaningful human intervention in relation to the automated decision

Additional restrictions remain if the automated decision-making is based on more sensitive, special category data. This is only permitted if:

The individual has provided explicit consent.
The decision is necessary for the purposes of a contract with the individual or permitted by law, and the processing is necessary for reasons of substantial public interest on the basis of relevant law that includes suitable safeguards.

Key takeaways

Track and audit all existing or planned automated decision-making, the categories of personal data involved and your lawful basis for processing.
Update or carry out data protection impact assessments.
Update privacy notices to explain how automated decision-making is used and how individuals can exercise their rights in relation to automated decisions.

Learn more about the Data (Use and Access) Act

Explore our dedicated resource for the Data (Use and Access) Act 2025, where you’ll find in-depth articles, webinars and practical guidance on what’s changing and what it means for your organisation.

Visit our spotlight page