UK’s Data Use and Access Act (2025) data protection provisions come into force

The changes effective on 5 February 2026 include:

• the introduction of new protections for children,
• a new legal basis of “recognised legitimate interests”,
• updates to the rules regarding data subject access requests,
• expanding the scope for using automated decision making, and
• changes to cookie consents.

We explain what these changes mean in practice below.

Ensuring effective children’s protection

One of the most significant changes brought about by the DUAA are new requirements for certain online services which are likely to be accessed by children. Such services must now take account of specified “children’s higher protection matters”, including:

• How best to protect and support children when using the service,
• The fact that children merit specific protection with regard to their personal data, because they may be less aware of the risks and consequences associated with processing of personal data and their rights in relation to such processing, and
• The fact that children have different needs at different ages and stages of development.

These changes build on the existing requirement of the GDPR to implement appropriate technical and organisational measures to ensure data protection by design and default by expressly requiring providers to take account of children’s needs when designing their services. In practice, the change essentially formalises the ICO’s existing Children’s Code. The ICO has updated its guidance on data protection by design and default to reflect the changes and organisations should review product design governance, age assurance mechanisms, and DPIAs to ensure these factors are accounted for.

Recognised legitimate interests

The DUAA also creates a new lawful basis for processing personal data under Article 6 UK GDPR based on “recognised legitimate interests”. These include processing that is necessary for crime prevention, safeguarding vulnerable people, responding to emergencies, safeguarding national security, or assisting bodies delivering public interest tasks sanctioned by law.

The changes are designed to give companies greater confidence about processing personal data for these limited and defined purposes and helpfully, also remove the requirement to carry out a detailed legitimate interests assessment which balances the data controller’s interests against those of the individuals concerned for processing based on recognised legitimate interests. However in reality, the changes represent a fairly narrow set of cases and ultimately reliance on this legal basis will not absolve the controller from considering wider principles (such as transparency and necessity) and the UK GDPR as a whole.

Where a processing activity does not fall within a recognised legitimate interest, the DUAA also introduces a non-exhaustive list of examples of processing activities which may be in the controller’s legitimate interests, including direct marketing, intra-group data sharing for internal administrative purposes, and ensuring the security of network and information systems. Note however that for these processing activities, a legitimate interests assessment will still be required.

Improvements for data subject access requests

It is now confirmed in law (not just regulatory guidance) that controllers may “stop the clock” when waiting for further information requested from the data subject to confirm the scope of a request. Previously, UK law did not explicitly state that searches needed to be “reasonable and proportionate”, although this has been established by case law and is also now codified by the DUAA. The ICO has already updated its guidance on data subject access requests to reflect these changes.

While the DUAA introduces a requirement for controllers to establish a process for handling complaints by data subjects, this change is expected to take effect later this year (June 19). In anticipation of the change, we recommend that controllers include details of the complaints process in their privacy noticesand make means available for complaints to be made (e.g. by providing an electronic complaints form).

Clarity for automated decision making

In an effort to facilitate the responsible use of automation to help grow the economy and enable a modern digital government, the scope for relying on solely automated decision-making has been expanded. This is considered to be one of the boldest changes introduced by the DUAA, with the UK seeking to recognise the mainstream nature of automated decision making and sharpen its risk-based approach to such practices.

The previous rules related to automated decision making were framed as a general prohibition on decision-making of this nature, except where certain limited conditions apply. According to the UK Government, the rules were complex to navigate, leaving organisations unclear when they could engage in such activity, and ultimately hindering the use of automated decision-making that might otherwise enhance productivity and make people’s lives easier.

The reforms aim to simplify the requirements for solely automated decision-making, by:

• Limiting the strictest controls to processing of special category data only (which diverges from the approach in the EU), and
• Specifying which safeguards must be implemented for a controller to make significant decisions based entirely on automated processing of personal data. These include providing data subjects with information about the decision(s), enabling individuals to make representations about and to challenge such decisions, as well as enabling them to obtain human intervention in the taking of a decision.

Cookie consent changes

New exemptions from the requirement to obtain consent for cookies are introduced where the deployment and use of cookies poses a low risk to user privacy, including where cookies are:

• Certain analytics cookies used to collect statistical data for improving website performance (e.g. analytics cookies),
• Functional cookies to enhance website appearance or user experience, and
• Cookies used for security purposes or to prevent or detect fraud (now considered as strictly necessary cookies).

This is aligned with how the ICO is already enforcing cookie consent in practice, most notably in its recent review of cookie usage on the UK’s top 1000 websites. Despite no longer requiring users to opt-into these cookies, controllers must still provide clear information about how these cookies are used, and a prominent opt-out mechanism.

These changes do not mean that cookies are yesterday’s news. It is important to note that the potential fines for cookie consent violations are now aligned with the UK GDPR, compared to a maximum penalty of £500,000 under the previous regime.

Next steps

The changes introduced by the DUAA are coming into force on a rolling basis, with the most substantial changes commencing on 5 February as outlined above. Others already took effect in 2025 (including the requirement to conduct a “reasonable and proportionate” search in response to a data subject access request), and further reforms (including granting data subjects a statutory right to complain to controllers about how their data is processed) will be rolled out later this year.

You can find further information about how to adapt your compliance programme to the DUAA at ‘Adapting your compliance programme to the UK Data (Use and Access) Act: What you need to know’.

Authored by Dan Whitehead, Katie McMullan, and Michaela Glass.