The Data (Use and Access) Act 2025 (DUAA) makes a number of changes to the law, including: clarifying how personal information can be used for research; lifting restrictions on some automated decision making; setting out how to use some cookies without consent; allowing charities to send people electronic mail marketing without consent in certain circumstances; requiring organisations to have a data protection complaints procedure and introducing a new lawful basis of recognised legitimate interests.

The Act provides the Information Commissioner’s Office (ICO) with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or four per cent of global turnover under PECR. 

John Edwards, Information Commissioner, said: “The Data (Use and Access) Act 2025 gives organisations using personal information new and better opportunities to innovate and grow in the UK, and further enhances our ability to balance innovation and economic growth with strong protections for people’s rights.

“We’ve published a catalogue of resources to help explain what this new legislation means for businesses. Over the coming months we will launch new guidance, open consultations, and provide practical tools to help embed the Act’s principles into everyday operations. Our goal is to ensure that data can be used confidently and responsibly to deliver better services, drive economic growth, and uphold public trust.”