How to Comply With The UK’s Data (Use and Access) Act 2025

uk duaa
Share article
twitter linkedin medium facebook

What is the DUAA?

The Data (Use and Access) Act 2025 (DUAA) is the UK’s newest data protection law. It doesn’t replace the UK GDPR, Data Protection Act 2018, or PECR (Privacy and Electronic Communications Regulations). Instead, it adds new rules that reshape how organisations handle personal data.

For online businesses, such as e-commerce, SaaS, and financial platforms, the Act affects everyday practices around cookies, tracking, analytics, subject access requests, and complaints. It introduces both opportunities (e.g., relaxed rules for low-risk analytics) and challenges (e.g., higher fines, stricter complaints processes), but Reflectiz’s discovery, logging, and reporting capabilities will make it easier to stay on top of these new obligations.

Does my organisation need to comply?

Yes. If you serve UK users and process their data, DUAA applies, regardless of what country your business is based in.

Why now?

The Act came into force in June 2025, with some provisions in effect straight away and others being phased in through June 2026, so it’s time to look at what’s changed, what’s changing, and how to respond.

The UK’s Information Commissioner’s Office (ICO) is the data regulator, and it will soon be known as the Information Commission. It has put out draft guidance on the Act for consultation. Organizations have until October 2025 to respond and help shape the final version of guidance.

Penalties for Non-Compliance

Fines for breaches of PECR (e.g., unlawful cookies/marketing) are now aligned with UK GDPR, so that could mean £17.5 million or 4% of annual global turnover, whichever is higher. For an overseas e-commerce platform, that could mean penalties in the tens of millions, so let’s look at how to comply!

What Has Changed and What Do I Need to Do?

Cookie and Tracking Consent

The DUAA introduces a more nuanced approach to managing user consent:

  • Low-risk technologies (analytics for service improvement, security, functionality like remembering language settings) may not require opt-in consent once the new provisions are fully commenced.
  • Advertising, profiling, fingerprinting, cross-site tracking, and marketing pixels still require opt-in consent.
  • In all cases, businesses must provide clear information and an easy, free opt-out mechanism.

What to do:

  • Run a cookie/technology audit of your website.
  • Update banners so Accept/Reject choices are equally prominent (this is ICO best practice).
  • Ensure no non-essential cookies fire before consent is received.
  • Maintain a clear cookie policy and keep an audit trail of consents.
  • Verify that vendors don’t deploy non-compliant trackers on your behalf.

The Reflectiz Privacy Dashboard can help you here by automatically discovering and categorising all cookies, pixels, and storage mechanisms (including piggybacked scripts), logging their activity, geo/purpose controls (block or allow by UK visitor), and timestamped consent logging for evidence of their consent states, and audit reports.

Tracking Pixels and Third Parties

The Act applies to all technologies that store or access information on a user’s device. That includes cookies, pixels, browser fingerprinting, and local storage.

What to do:

  • Categorise each tracker by purpose.
  • Update your consent mechanism. Only rely on the DUAA exemptions for low-risk technologies; get explicit consent for ads/profiling.
  • Manage your vendors. Require assurances from ad-tech partners and technically block third-party scripts from firing without consent.

Reflectiz continuously scans for third-party and piggybacked scripts, helping you stop non-compliant trackers before they can land you in hot water.

Subject Access Requests (SARs)

UK citizens can ask you for details about what data you’ve been collecting on them. DUAA clarifies how to handle data SAR requests from UK citizens:

  • The searches must be reasonable and proportionate, not exhaustive, so you don’t have to look for everything and in fine detail.
  • You have a one-month deadline to respond.
  • You can pause a request (“stop the clock”) if, for instance, you need more information to verify the identity of the person making it or to clarify the scope, but you must tell them why you’re doing so. This means you aren’t forced to rush a request if it’s unclear.

What to do:

  • Update SAR policies to reflect the proportionate search standard.
  • Document decisions on scope.
  • Train staff to use the new pause mechanism appropriately.

Reflectiz helps by mapping web-layer data and providing fast exports for SAR responses.

Complaints

For the first time, individuals must complain to the organisation first before going to the regulator, so you need to be ready to deal with direct complaints from UK citizens about handling their data.

What to do:

  • Create a formal complaints process, with a dedicated email or electronic form.
  • Acknowledge complaints within 30 days and respond “without undue delay.”
  • Keep records of how complaints are handled.

Reflectiz’s Privacy Dashboard provides audit-ready logs showing how consent and data practices were managed, which will support your efforts to resolve complaints from UK citizens.

Automated Decision-Making (ADM) 

DUAA makes changes to ADM rules (recognising legitimate public interest ADMs in some contexts) but requires safeguards where automated decisions have significant effects. If you use automated scoring, fraud/fraud-blocking, or automatic content moderation, review the DUAA’s ADM provisions and include human oversight/appeals as needed. 

What to do: 

  • Audit any ADM systems affecting UK users.
  • Implement review/appeal processes and document safeguards.

Reflectiz helps by detecting the presence of third-party scoring/fraud/vendor tools on the site and verifying their firing conditions and triggers.

Recognised Legitimate Interests (RLI)

DUAA adds a new lawful basis for collecting certain information about people without having to justify it. This is called Recognised Legitimate Interest. It only applies to pre-approved public interest purposes (e.g., crime prevention, safeguarding, emergencies). Most commercial uses, like analytics or marketing, must still rely on consent or standard legitimate interest under UK GDPR, but we’re mentioning it here for the sake of completeness.

International Data Transfers

The DUAA clarifies and modernises some international transfer rules to provide more flexibility, but you still need to ensure appropriate safeguards for transfers of personal data (SCCs/IDTA/adequacy).

What to do:

  • Re-check your transfer mechanisms for UK customer data (e.g., analytics hosted in the US).
  • Consider geo-blocking trackers that export UK user data until safeguards are verified.

Direct Marketing, Research, and Broad Consent

DUAA clarifies rules for scientific research and, in defined circumstances, permits broad consent. It also confirms continued reliance on legitimate interest for certain direct marketing uses (subject to PECR), and the Act extends certain soft-opt-in provisions for charities.

What to do:

  • If you frame product analytics as research, document the legal basis carefully and consult guidance.
  • For direct marketing, keep PECR obligations top of mind; marketing still has strict consent and opt-out requirements.

Reflectiz can help by mapping analytic event categories to research vs marketing use, so you can document the legal basis and boundary of each activity.

Conclusion

The DUAA introduces material changes for online businesses, from relaxed consent rules for some analytics, to new complaint handling, SAR clarifications, and higher fines.

With fines now aligned with GDPR levels, having continuous monitoring and audit trails is essential. Reflectiz is your ideal compliance engine that helps you:

  • Discover and categorise all trackers and cookies.
  • Block or log third-party technologies until valid consent is given.
  • Maintain audit-ready records for SARs, complaints, and regulator inquiries.
  • Stay aligned with evolving ICO guidance.

The Privacy Dashboard already supports compliance with GDPR and PECR, and now it’s the ideal tool to help you meet DUAA requirements too. Register here today.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free