The United Kingdom’s Data Use and Access Act (DUAA) received Royal Assent in late 2025 and its first substantive provisions came into force in February 2026. This legislation represents the UK’s most significant departure from the EU GDPR framework since Brexit, reshaping lawful basis rules, cookie consent requirements, complaint handling obligations, and enforcement penalties. For any website that serves UK users or processes the personal data of individuals in the United Kingdom, the DUAA introduces changes that cannot be ignored. This guide breaks down the key provisions and their practical implications for website operators.
Background: Why the UK Diverged From EU GDPR
When the UK left the European Union, it retained the EU GDPR almost verbatim through the UK GDPR, incorporated into domestic law by the Data Protection Act 2018. For several years, the two frameworks remained functionally identical. But the UK government made clear its intention to create a distinct data protection regime that it described as more innovation-friendly, less bureaucratic, and better suited to the UK’s post-Brexit economic ambitions.
The DUAA is the result of that effort. It amends the UK GDPR and the Privacy and Electronic Communications Regulations (PECR) across multiple dimensions. Some changes reduce compliance burdens for businesses. Others introduce entirely new obligations. The net effect is that websites operating in both the UK and the EU can no longer assume that a single compliance strategy covers both jurisdictions.
This divergence matters for practical reasons. If your website serves both UK and EU users, you may now need to implement jurisdiction-specific logic in your consent mechanisms, privacy policies, and complaint handling workflows. A one-size-fits-all approach that worked when the UK GDPR mirrored the EU GDPR may no longer be sufficient.
Recognized Legitimate Interests: A New Lawful Basis
One of the most impactful changes in the DUAA is the introduction of “recognized legitimate interests” as a distinct lawful basis for processing personal data. Under the EU GDPR, relying on legitimate interests (Article 6(1)(f)) requires a three-part balancing test: identifying the legitimate interest, demonstrating that the processing is necessary for that interest, and weighing it against the rights and freedoms of the data subject. This balancing test, formally a Legitimate Interest Assessment (LIA), is often complex and its outcomes are uncertain.
The DUAA creates a shortcut. It establishes a statutory list of processing activities that are deemed to constitute recognized legitimate interests. For these activities, businesses do not need to conduct a full LIA. The recognized list includes processing necessary for national security, public security, and defense; processing necessary to prevent or detect crime; processing for safeguarding vulnerable individuals; and processing necessary for certain types of direct marketing to existing customers (the so-called “soft opt-in”).
For website owners, the most practically relevant recognized legitimate interest is the direct marketing provision. Under the EU GDPR, email marketing to existing customers based on legitimate interests requires a documented LIA. Under the DUAA, if the marketing is directed at existing customers who were given an opportunity to opt out at the point of collection and in every subsequent message, the processing is automatically lawful without a separate balancing test.
However, this simplification applies only to UK data subjects. If your email marketing list includes both UK and EU recipients, you must still conduct an LIA (or obtain consent) for the EU portion. The recognized legitimate interests framework does not exempt businesses from transparency requirements either. You must still inform data subjects about the processing in your privacy policy, even if no LIA is required.
Cookie Consent Changes Under PECR Amendments
The DUAA amends the Privacy and Electronic Communications Regulations (PECR) in ways that may significantly reduce the scope of cookie consent requirements for UK-facing websites.
Under the current EU ePrivacy Directive and existing PECR rules, storing or accessing information on a user’s device (primarily through cookies) requires informed consent unless the cookie is strictly necessary for providing a service explicitly requested by the user. This means analytics cookies, performance cookies, and most advertising cookies require prior opt-in consent.
The DUAA introduces an expanded list of cookie purposes that do not require consent. In addition to the existing “strictly necessary” exemption, cookies set for the following purposes may now be deployed without obtaining prior consent from UK users:
Website analytics and performance measurement. First-party analytics cookies used to measure how visitors interact with a website, count unique visitors, and assess the performance of website features may be set without consent, provided the data is not used for profiling or shared with third parties for their own purposes. This is a significant change for website operators who currently display cookie consent banners primarily because of analytics tools.
Security and fraud prevention. Cookies used to detect malicious traffic, prevent fraud, or ensure the security of online transactions are explicitly exempted from consent requirements.
Software updates. Cookies or similar technologies used to facilitate software updates or check for version compatibility do not require consent.
The practical effect is that many UK-facing websites will be able to significantly simplify their cookie banners or, in some cases, remove them entirely for UK visitors if the only non-essential cookies they deploy fall within the new exempted categories. However, advertising cookies, cross-site tracking cookies, and third-party analytics that involve data sharing remain subject to the consent requirement.
For websites that serve both UK and EU audiences, this creates a divergence problem. A website that removes its cookie banner for UK users based on the DUAA exemptions must still present a fully compliant cookie consent mechanism to EU users under the ePrivacy Directive. Geo-based consent logic, where the cookie banner behavior adapts based on the visitor’s location, becomes a practical necessity rather than a nice-to-have.
June 2026 Deadline: Internal Complaints Procedures
One of the most overlooked provisions in the DUAA is the requirement for organizations to establish internal complaints handling procedures. This obligation takes effect in June 2026 and applies to all data controllers that process the personal data of UK individuals.
Under the current framework, individuals who believe their data rights have been violated can complain directly to the Information Commissioner’s Office (ICO). In practice, this has led to the ICO receiving a very high volume of complaints, many of which could have been resolved between the individual and the organization directly. The DUAA addresses this by requiring organizations to implement an accessible, transparent complaints procedure that data subjects must use before escalating to the ICO.
The specific requirements for the complaints procedure include:
Accessibility. The procedure must be easy to find. For websites, this means a clearly labeled complaints section within the privacy policy or a dedicated complaints page accessible from the footer or data protection contact section.
Acknowledgment timeline. Organizations must acknowledge receipt of a complaint within a reasonable period. While the DUAA does not specify an exact number of days, the ICO’s guidance suggests acknowledgment within five working days.
Response timeline. The organization must investigate and respond to the complaint substantively. The DUAA establishes a maximum response period of 45 days, with the possibility of a 45-day extension for complex complaints, provided the complainant is notified of the extension and the reasons for it.
Escalation information. The response must inform the complainant of their right to escalate the matter to the ICO if they are not satisfied with the outcome. The response must include the ICO’s contact details and a reference number for the complaint.
For website owners, the June 2026 deadline means that privacy policies must be updated to include information about the internal complaints procedure. The procedure itself must be operational, meaning someone within the organization must be designated to receive, investigate, and respond to data protection complaints within the statutory timelines.
Automated Decision-Making: A Narrower Approach Than the EU
The EU GDPR’s Article 22 provides a broad right for data subjects not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. The DUAA takes a different approach.
Under the DUAA, the restrictions on automated decision-making apply only to decisions that are made without any meaningful human involvement and that produce significant adverse effects on the individual. The emphasis on “adverse effects” narrows the scope considerably. An automated decision that benefits the individual or has a neutral impact does not trigger the same restrictions, even if it was made without human involvement.
Additionally, the DUAA removes the requirement for explicit consent as a condition for lawful automated decision-making. Instead, businesses may rely on any lawful basis for the underlying processing, provided they implement appropriate safeguards. These safeguards must include the right for the individual to obtain meaningful information about the decision logic, the right to request human review of an automated decision, and the right to contest the decision.
For website owners, this means that algorithmic recommendations, automated eligibility checks, and AI-driven content personalization face lighter regulation in the UK than in the EU. However, the obligation to provide information about automated decisions in the privacy policy remains, and any automated decision that produces a significant adverse effect on a UK individual triggers the full set of safeguards.
The divergence between the UK and EU approaches to automated decision-making is particularly relevant for businesses that use the same AI systems across both markets. You may need to implement different consent or safeguard mechanisms depending on the user’s jurisdiction.
PECR Penalties Aligned With UK GDPR Levels
Before the DUAA, enforcement of PECR (which governs cookies, electronic marketing, and communications data) was subject to a separate and lower penalty regime than the UK GDPR. The maximum fine for a PECR violation was capped at £500,000, a figure that had not been updated since 2003 and that bore little relation to the economic reality of large-scale privacy violations.
The DUAA aligns PECR penalties with the UK GDPR enforcement framework. The ICO can now impose fines of up to £17.5 million or 4% of global annual turnover, whichever is greater, for PECR violations. This applies to all PECR infringements, including:
- Setting non-exempt cookies without valid consent
- Sending unsolicited direct marketing communications
- Failing to honor opt-out requests for electronic marketing
- Deploying tracking technologies without proper disclosure
The practical significance of this change cannot be overstated. Previously, the relatively low PECR penalty cap meant that large businesses could treat cookie consent violations as a manageable cost of doing business. With penalties now matching UK GDPR levels, the financial risk of non-compliant cookie practices, spam marketing, or tracking without consent has increased by orders of magnitude.
For website owners, this alignment reinforces the importance of getting cookie consent right for UK visitors, even as the DUAA relaxes the scope of cookies that require consent. The cookies that still require consent, primarily advertising and third-party tracking cookies, now carry enforcement penalties that can be genuinely painful.
Implications for Websites Serving UK Users
The cumulative effect of the DUAA’s changes creates a new compliance landscape for websites serving UK users. Here are the key actions website operators should take:
Review your lawful basis for processing. If you currently rely on legitimate interests for direct marketing to existing UK customers, you may be able to simplify your compliance by relying on recognized legitimate interests instead. Document this change in your records of processing activities.
Reassess your cookie strategy. Audit every cookie your website sets and determine which ones fall within the new PECR exemptions for UK users. If your only non-essential cookies are first-party analytics and security cookies, you may be able to simplify or remove your cookie banner for UK visitors. But ensure your consent mechanism remains fully compliant for EU visitors.
Build your complaints procedure. The June 2026 deadline is approaching. Design and implement an internal complaints procedure, assign responsibility, and update your privacy policy to describe the procedure and provide contact details.
Update your privacy policy. The DUAA changes affect multiple sections of a standard privacy policy: lawful basis descriptions, cookie disclosures, automated decision-making explanations, and complaints procedures. A privacy policy drafted under the pre-DUAA UK GDPR framework is now incomplete.
Implement jurisdiction detection. If your website serves both UK and EU users, consider implementing geo-based logic to apply the appropriate consent and disclosure requirements based on the visitor’s location. This is not strictly required by law, but it avoids the problem of either over-consenting UK users or under-consenting EU users.
Conclusion
The Data Use and Access Act marks the United Kingdom’s deliberate departure from the EU data protection framework. For website owners, the changes are a mix of simplifications (recognized legitimate interests, analytics cookie exemptions) and new obligations (complaints procedures, aligned PECR penalties). The net effect is that UK data protection compliance is no longer a subset of EU GDPR compliance. It is a distinct regime that requires its own analysis, its own privacy policy provisions, and potentially its own technical implementation for consent and data handling.
If your website serves UK users and your privacy policy has not been updated since the DUAA took effect, you are operating with an incomplete legal framework. WebLegal generates privacy policies and cookie policies starting from 14,90 € that account for jurisdiction-specific requirements, including the DUAA’s new provisions. The process takes under 10 minutes and ensures your legal documents reflect the current regulatory landscape, not last year’s.