Key provisions of the Data (Use and Access) Act (DUA Act) came into effect on 5 February 2026 under The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026. Businesses subject to the UK GDPR and/or The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) should ensure that policies and practices reflect this tranche of amendments to UK data protection law.

In this update we summarise some of the key changes relevant to businesses with operations in the UK. The full list of provisions (including provisions relating to children's higher data protection matters, timeframes for data subject rights responses and privacy notice exemptions) is set out here. Section 138, which amends the Sexual Offences Act 2003 to create new offences in relation to the creation of deepfake intimate images without consent from the person depicted, also came into effect on 6 February 2026 under The Data (Use and Access) Act 2025 (Commencement No. 5) Regulations 2026.

For additional detail, including on the full suite of changes introduced by the DUA Act, please see our comprehensive DUA Act briefing.

Key changes that took effect on 5 February 2026

Automated decision-making

The DUA Act narrows the general prohibition on the use of personal data for solely automated decision-making (ADM) for significant decisions affecting data subjects. From here on, the prohibition only applies to significant ADM based entirely or partly on the processing of “special category” data (for example, health data).

Significant ADM that is based on special category data will need to continue to rely on specific legal bases for processing under UK GDPR (for example, explicit consent). However, the legal bases available for significant ADM that is not based on special category data will be broader (and will include legitimate interests).

Safeguards (such as transparency and contestability requirements) will apply to all significant ADM based on personal data.

Looking ahead: Further ICO guidance expected: (1) draft Automated Decision Making (ADM) and Profiling guidance (expected imminently, to be subject to a public consultation); and (2) Code of Practice on AI and ADM.

Cookie consent

The DUA Act clarifies and expands the circumstances in which consent for cookies will not be required under PECR. It will no longer be necessary to obtain cookie consent for:

• Statistical cookies – cookies that solely collect information for statistical purposes about the use of the service;
• Appearance cookies – cookies that adapt appearance of the service according to the user’s preferences (e.g., displaying the website in a different language);
• Emergency assistance cookies – cookies that are used to find the geolocation of the user of a device in order to provide emergency assistance after a request from the user.

The DUA Act specifies that for statistical and appearance cookies, controllers and processor must still provide an informed and simple opt-out mechanism that is free of charge.

It will remain the case that cookie consent is not required for 'strictly necessary' cookies (for example, those that an online service could not operate without). The DUA Act also provides examples of cookies falling under the ‘strictly necessary’ exemption, such as cookies that automatically authenticate users, that prevent or detect technical faults when providing a service, and that prevent or detect fraud when providing a service.

The DUA Act also amends PECR to state that references to ‘storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user' (cookies and similar technologies) includes "instigating" the storage or access.

Looking ahead: Further ICO guidance on storage and access technologies is expected is Spring 2026, after a public consultation in Autumn 2025.

Recognised legitimate interests

The DUA Act introduces a new legal basis for data processing – ‘recognised legitimate interests'. The following processing activities are considered recognised legitimate interests under the DUA Act:

• processing necessary for national security, public security and defence purposes;
• processing necessary for the detection, investigation or prevention of crime;
• responding to requests made by bodies acting in the public interest, for processing by those bodies for purposes laid down in law (for example, to help a government agency discharge its duties and functions); or
• processing necessary for the safeguarding of vulnerable individuals.

Processing personal data based on ‘recognised legitimate interests’ under the UK GDPR will not require a further ‘balancing test’ to be carried out (that is, balancing Amazon's legitimate interests against the privacy rights of data subjects).

Looking ahead: Final ICO guidance on recognised legitimate interest is expected for Q1 2026, following redrafting after the public consultation in October 2025.

Research and statistical purposes

The DUA Act defines “research and statistical purposes” to include “any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity”. This aligns the substantive provisions of the UK GDPR with existing recitals and regulatory guidance to encourage a broad interpretation of the concept of scientific research, such that the UK GDPR’s purpose limitation principle, and its restrictions on the processing of special category data, are less likely to restrict processing for such purposes provided certain safeguards are met. The DUA Act also clarifies that data subjects can give “broad consent” for processing of their data for an area of scientific research in certain circumstances.

Looking ahead: An ICO update on Research, Archiving and Statistics is expected for Summer 2026.

Purpose limitation and further processing

The DUA Act clarifies the circumstances under which personal data may be re-used for purposes different to the purposes for which the personal data was originally collected. Depending on the original legal basis relied on, purposes deemed to be compatible for further processing may include:

• research, archiving or statistical purposes
• detecting, investigating or preventing crime.

The DUA Act also sets out factors that controllers should consider when determining “purpose compatibility” for data re-use in other circumstances (for example, possible consequences for data subjects of the proposed processing, and the existence of appropriate safeguards).

PECR fines increased

Previously fines for breaches of PECR were limited to £500,000. DUA Act now brings maximum fines under PECR to UK GDPR levels (that is, £17.5 million or 4% of global annual turnover). PECR is the instrument that implements the EU's ePrivacy Directive into UK law, regulating cookies and email marketing, among other things. These changes raise the stakes for non-compliance with PECR requirements.

Looking ahead: Further ICO guidance is expected on Direct Marketing and Privacy and Electronic Communications (expected: Q1 2026).

The ICO's enforcement toolkit expanded

The ICO is newly empowered to:

• require the preparation of a report at the expense of the controller or processor being investigated (by way of illustration, this might be a report setting out findings from an internal investigation into how unauthorised access to a restricted database occurred);
• compel a witness (e.g. a manager or employee) to attend interview, where giving a false statement in response to an interview question would be an offence; and
• by way of issuing an information notice, require not only the provision of general information but the production of specific documents (for example, a data protection impact assessment or transfer risk assessment).

Looking ahead: Further ICO guidance on data protection enforcement procedural guidance is expected for Spring 2026, after a public consultation launched in October 2025.

The international data transfer test reformulated

The DUA Act reformulated the test for assessing a third country’s adequacy in connection with international data transfer. The newly introduced “data protection test” requires the Secretary of State to assess whether the standard of protection in a third country in respect of a transfer is “not materially lower” than the standard in the UK. The data protection test is also to be applied by controllers and processors before they may transfer personal data to a third country in reliance on “appropriate safeguards” (such as standard contractual clauses). It remains to be seen whether this proves to be a meaningful distinction compared with the “essential equivalence” test referred to in the EDPB’s guidance and in judgments of European Union courts. The UK Government is also empowered to approve new clauses which are capable of securing that the data protection test is met.

On 15 January 2026, the ICO updated its guidance on international transfers, including by replacing the EU’s “essentially equivalent” adequacy test with the new “not materially lower” data protection test.

A further change, taking effect on 19 June 2026

Complaints from data subjects

Creates a right for data subjects to complain directly to controllers in relation to infringements of data protection law (to exist alongside the existing ability to lodge complaints with the ICO). Controllers must facilitate the making of such complaints, for example by providing a complaint form “which can be completed electronically and by other means”, and must acknowledge complaints within 30 days, take appropriate steps to resolve the complaint without undue delay, and inform the data subject of both progress and the outcome. Businesses that use the EU GDPR as their high-water mark for data protection obligations should take special note, as these provisions now exist in the UK GDPR but do not exist in the EU GDPR.

Are you ready?

Businesses should consider the increased PECR fines when assessing their compliance with cookies and direct marketing practices. The expanded ICO enforcement powers raise the stakes for engagement for regulatory engagement. Businesses should also review their data protection policies and practices to ensure that DUA Act amendments are now reflected. For example, where processing activities are based on recognised legitimate interests, you will need to update records of processing and privacy notices, and may wish to deprecate historical legitimate interest assessments.

Please do not hesitate to reach out to your Clifford Chance contact if you have any questions about what changes mean for your business.