Data (Use and Access) Act 2025: What It Changes for UK Websites

The Data (Use and Access) Act 2025 (DUAA) is the most significant reform to UK data protection law since the UK GDPR took effect in 2021. It received Royal Assent on 19 June 2025 after a lengthy parliamentary passage, having started life as the Data Protection and Digital Information (DPDI) Bill in the previous Parliament.

For most small and medium-sized businesses operating websites, DUAA's day-to-day impact is more limited than headlines suggested. The UK GDPR and DPA 2018 remain the governing framework. But several DUAA provisions are directly relevant to website operators, particularly on legitimate interests, cookie notices, and international data transfers.

To check your current compliance position under UK GDPR as amended by DUAA, run a free scan at /uk/en/scan.

Background: from DPDI Bill to DUAA

The DPDI Bill was first introduced in March 2023 and fell when the 2024 general election was called. A revised version was reintroduced by the new government in October 2024 and passed as DUAA in June 2025. The final Act is narrower in some respects than the original DPDI Bill — several provisions that would have created greater divergence from EU GDPR were removed or softened during passage, partly to preserve the UK's EU adequacy decision.

Understanding this legislative history matters for businesses that may have read commentary on the DPDI Bill: not everything proposed in 2023 made it into the final Act.

Key changes for website operators

Recognised legitimate interests

DUAA 2025 introduces the concept of "recognised legitimate interests" — a list of specific purposes where the controller can rely on legitimate interests under UK GDPR Article 6(1)(f) without conducting a full legitimate interests assessment (LIA). The initial list covers purposes such as safeguarding, national security, crime prevention, and certain research activities.

For most commercial website operators, this provision has limited direct application, because the recognised legitimate interests cover largely public-interest and safety purposes rather than commercial processing. The existing LIA requirement continues to apply to marketing, analytics, and most commercial uses of personal data. See legitimate interests for UK marketing for a full explanation of the balancing test.

Reforms to international data transfers

DUAA replaces the existing adequacy and transfer mechanism framework in the DPA 2018 with a reformed "data bridges" system. The Secretary of State can now designate countries or international organisations as providing an "appropriate level of protection" by means of secondary legislation rather than the full adequacy process.

Existing adequacy decisions and SCCs continue to apply during a transition period. For businesses using standard contractual clauses (SCCs) or the UK's own International Data Transfer Agreement (IDTA) with processors in non-adequate countries, no immediate action is required. The practical effect of DUAA's transfer reforms is felt primarily by larger organisations with complex cross-border transfer arrangements.

Renamed ICO and new accountability framework

DUAA renames the Information Commissioner's Office to the "Information Commission" and introduces a new statutory principal objective: to promote a climate of confidence that enables the free flow of personal data. This represents a shift in emphasis from pure enforcement to enabling economic use of data, though the ICO's enforcement powers remain and have in some respects been clarified.

The Act also introduces a formal appeals framework: ICO enforcement decisions can now be appealed to the First-tier Tribunal on points of fact, not just law. This is a meaningful procedural change that may affect how businesses respond to ICO reprimands and enforcement notices.

Cookie reforms: the "consent or pay" question

The DPDI Bill contained proposals to reform PECR to allow persistent cookie consent records and to reduce the frequency of consent prompts. These provisions were largely removed from DUAA during passage, following concerns from the ICO and privacy groups about their compatibility with UK adequacy.

The practical result is that the existing PECR Reg 6 cookie consent rules remain unchanged. Consent for non-essential cookies must still be freely given, specific, informed, and unambiguous. Reconsent is required when the purposes change materially. See cookie consent rules under PECR for the current requirements.

Smart data schemes

Part 1 of DUAA creates a general framework for smart data schemes. These enable customers to require data holders to share their data (transaction records, usage history, tariff information) with authorised third parties. Open Banking, which predates DUAA, operates on the same principle.

For website operators, smart data schemes are most relevant if you operate in a regulated sector such as financial services, energy, or telecoms where a scheme may be designated. For general e-commerce and service businesses, the immediate impact is minimal.

Data intermediaries and digital verification services

DUAA creates a framework for trust marks and registration requirements for data intermediaries — organisations that facilitate data sharing between parties. It also creates a statutory framework for digital identity verification services, allowing individuals to use verified digital IDs to prove age, identity, or credentials.

For websites that already use third-party identity verification, DUAA's digital verification service (DVS) provisions may affect which services qualify as "approved" under the new framework. HM Government maintains a register of DVS trust-marked providers.

What has not changed

Several provisions of UK GDPR and DPA 2018 are unaffected by DUAA. The following obligations remain exactly as before:

The six lawful bases under UK GDPR Article 6 continue to apply, with the minor modification of recognised legitimate interests noted above. Consent requirements under Article 7 are unchanged. Data subject rights (access, rectification, erasure, portability, objection) are unchanged. The obligation to appoint a Data Protection Officer where required is unchanged. The 72-hour breach notification deadline to the ICO under Article 33 is unchanged. PECR rules on cookies and electronic marketing are unchanged.

Comparing UK and EU data protection after DUAA

The EU retained its GDPR framework without the reforms DUAA introduces, meaning UK and EU data protection law have now diverged further. The EU adequacy decision for the UK, granted in 2021, is under ongoing review. DUAA was drafted with adequacy preservation as an explicit objective, and the government has stated its intention to maintain EU adequacy.

For businesses that transfer personal data from the EU to the UK — for example EU customers whose data is processed on UK servers — the adequacy decision means no additional transfer safeguards are currently required. Businesses should monitor ICO and government guidance if the adequacy decision is renewed, restricted, or revoked. For an overview of how UK and EU frameworks compare, see UK GDPR versus EU GDPR after Brexit.

Steps for website operators

Most small business websites do not need to change anything immediately in response to DUAA. The Act is primarily felt in institutional and structural reform. However, it is worth reviewing the following during your next annual compliance review:

Review any legitimate interests assessments you have on file, noting whether any of your purposes might fall within a recognised legitimate interest (most will not, but it is worth confirming).

If you use international data transfers, confirm whether your transfer mechanisms (IDTA, SCCs, or adequacy) remain valid under the transition provisions. The ICO has published updated guidance on this point.

Monitor ICO (now Information Commission) guidance as the Commission adapts its enforcement and guidance publications to reflect the new principal objective and appeals framework. Tone and priorities may shift over time even where the legal rules have not.

For a current check of your website's UK data protection compliance, run a free scan at /uk/en/scan.