Well, shock horror, the UK has changed its mind again - this time with data laws. Say hello to the Data (Use and Access) Act 2025 (“DUAA”). This is the government’s latest attempt to modernise how data is regulated.
It doesn’t rip out the old regime entirely (it doesn't replace GDPR for example), but skews the balance a bit more towards flexibility, innovation and greater risk if compliance doesn’t keep up.
So what's actually changed?
1. Charities may be able to breathe easier
Under DUAA, certain processing for “recognised legitimate interests” becomes easier. Non-public bodies relying on these interests may no longer need to carry out a full consent test for those specific use cases.
That gives charities, nonprofits, and others more breathing room. Having watched many of our third sector clients lose most of their historic marketing data for GDPR purposes, I’m pleased to know they can continue to spread their good word but it doesn’t mean all data processing becomes “free for all.” Reasonable consent, transparency, and safeguards still matter of course.
2. Cookie banners might chill out
Yes, I’m bored of them too. The banners that pop up on every site like an overzealous nightclub bouncer? “Do you accept cookies? Are you SURE? How about these ones? Click here. And here. And here. Where are you going?”
DUAA also tweaks PECR to modernise rules for cookies and electronic marketing. Some analytics or tracking may become simpler to deploy, but intrusive tracking still faces constraints (as it should!). Expect easier to understand opt-out messages, clearer choice but a continuing obligation to keep users informed.
3. Inbox Overload? Maybe.
With more lawful room for data use (especially under “recognised legitimate interests”), marketing efforts may become more assertive. But it’s not guaranteed. The new regulatory framework still allows opt-outs and requires data control & security. So whether your inbox gets flooded depends on how aggressively organisations push the boundaries.
Let’s hope “We thought you ‘might’ buy…” doesn’t become the norm for legitimate interest.
4. The “public safety” loophole
One of my favourite authors is George Orwell. 1984 a personal favourite. This one scares me.
DUAA opens more space for processing in the public interest (e.g. “public interest”). These “recognised interests” are explicitly set in law under DUAA, but do reduce some of the burden of balancing tests. However, whilst this power is broader than before, it’s luckily not without some legal constraint.
5. Tell me what you know about me
DUAA reshapes how subject access works too. Organisations may now apply a “reasonable and proportionate” constraint to their search, and in complex cases can now extend their response window when someone requests what data is held on them. Much better than the over-bearing and rigid rules from before.
When a, now broader, set of legal exemptions apply (e.g. legal privilege), controllers must explicitly state which one and allow data subjects to request an ICO review if necessary.
Is it progress?
Honestly? Yes, but with a side of caution. I always thought the old rules went a little too far anyway and made understanding how your data is being used too confusing for most.
Whilst a user’s basic data rights and oversight remain, the DUAA gives controllers more discretion, which means the real effect depends heavily on the ICO and courts reviewing the first set of complaints.
As always though, the devil is in the (increasingly flexible) details.
Other blogs you might like...
What's the point of a website audit?
We've got the fur coat AND the knickers
SSL Certificates & why you need one
Oates' website hierarchy of needs
