The U.K. Data (Use and Access) Act 2025: What you need to know 

The U.K. Data (Use and Access) Act 2025 received Royal Assent on June 19, 2025, officially becoming law. This sweeping piece of legislation brings significant changes to the U.K.’s data protection, ePrivacy laws, and digital services landscape. While some provisions are now in effect, others will require secondary regulations to be fully implemented. 

Below, we break down the key provisions of the Act and how you can prepare. 

Key Features of the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 brings a wide range of updates, not just to data protection law but also to emerging areas like smart data and digital verification services. The Act covers the following key areas:

1. Amendments to UK Data Protection and ePrivacy Laws

The Act updates the UK GDPR and the Data Protection Act 2018, including:

• More Special Category Data: Whilst additional categories have not been added yet, the Act provides for a new mechanism to introduce further classes of special category data by the secretary of state.
• Purpose Limitation: The Act extends the purpose limitation principle when processing is carried out for the public interest. A list of derogations deemed compatible with the original purpose or processing are introduced in the Act which range from protecting vital interests to complying with legal obligations.
• Data Subject Requests: The Act codifies ICO’s “stopping the clock” approach, where the clock on responding to reasonable and proportionate data subject requests within the set time frame, only starts to run once the identity of the requestor has been verified. 
• Complaints Process: The Act introduces a new right to complain directly to the controller pursuant to measures such as an electronic form. The controller is to acknowledge complaints within 30 days and have a clear process for handling data subject complaints. This right to complain should also be included in privacy notices.
• Automated Decision Making: The Act narrows the scope of the current restrictions on automated decision-making, since they will now be limited to decisions involving special category data. This is a major shift from the existing rules.
• Legitimate Interests: The Act whitelists certain activities, such as direct marketing, intra-group data transfers, and network security as legitimate interests. This facilitates the process for controllers to determine whether their data processing purpose will be considered as legitimate.
• International Transfers: The Act retains a risk-based approach to assessing adequacy for international data transfers, focusing on whether the data protection standards in another jurisdiction are “materially lower” than those in the U.K. with the introduction of a “data protection test“.
• Public Task: The Act clarifies that the public task condition applies only to tasks performed by the controller in the public interest and does not extend to tasks carried out by third parties.
• Research Clarifications: The Act clarifies how personal data can be used for research purposes, explicitly including “scientific research” and genealogical research. It opens up new opportunities for technological development and fundamental research that can reasonably be described as scientific.

2. Amendments to ePrivacy Laws

The DUA Act also introduces some changes to the ePrivacy Regulations:

• Charity Soft Opt-in: The soft opt-in for electronic marketing is extended to charities, enabling them to contact individuals for marketing purposes related to furthering their charitable objectives.
• Cookie and Tracking Technologies: Cookies used for analytics or website optimization are exempt from the requirement to obtain prior consent, as long as users are clearly informed beforehand about the use of such cookies and have a simple, free method to opt out. This may still mean that cookie consent pop-ups remain in use.
• Fines Alignment: The fines for ePrivacy breaches are now aligned with those under the UK GDPR, allowing for substantial penalties for violations.

3. Smart Data Framework

One of the most innovative aspects of the DUA Act is its establishment of a smart data framework. This framework aims to enable consumers and businesses to grant third parties access to their data, encouraging competition and the development of new products and services.

Key points include:

• Smart Data Schemes: Building on the Open Banking model, the Act facilitates schemes across various sectors, with the energy sector as an early target. These schemes will enable customers to share data (such as consumption patterns) for price comparisons or carbon reporting, spurring innovation.
• Obligations for Traders: Businesses that supply goods or services will be subject to new obligations under these schemes, including investment in IT infrastructure to support data sharing.

4. Digital Verification Services (DVS)

The Act introduces a framework for digital verification services (DVS), including electronic signatures and eID. This will enable a trust framework for DVS providers, ensuring they meet the required standards and can be certified and included in a statutory register.

• Public Authority Gateways: DVS providers will be able to interact with public authorities via secure information gateways, allowing for the use of certified DVS for tasks such as right-to-work or right-to-rent checks.
• Reduced Personal Data Collection: DVS will help reduce the need for businesses to collect personal data, minimizing risks for both businesses and individuals.

5. The Future of AI and Automated Decision-Making

With the amendments to research definitions and automated decision-making restrictions, the U.K. is positioning itself as a more flexible environment for AI development. These changes make the U.K. an attractive destination for AI innovation, especially given that the EU has introduced specific AI regulations that U.K.-based businesses will not need to adhere to. However, multinational businesses must remain mindful of the differences between U.K. and EU data protection laws when developing or deploying AI technologies.

The Act’s Impact on Business Operations

The Data (Use and Access) Act 2025 will require businesses to:

• Review Data Governance Practices: Businesses will need to reassess their data collection, processing, and sharing policies, particularly for research and AI development.
• Prepare for Digital Verification Services: Businesses relying on identity verification will need to familiarize themselves with the new DVS framework and adjust their systems accordingly.
• Monitor Smart Data Schemes: Traders in sectors like energy and finance should prepare for the potential obligations that will come with smart data schemes.
• Adapt to ePrivacy Changes: Businesses will need to review their cookie consent practices and ensure they comply with the new exemptions and requirements for clear information.

Penalties and Enforcement

As with GDPR, the Data (Use and Access) Act 2025 establishes significant penalties for non-compliance. Penalties for breaches of electronic marketing regulations and placement ofcookies are currently capped at £500,000. However, ePrivacy breaches will soon be subject to the Data Protection Act 2018 leading to severe fines up to 4% of global turnover or £17.5 million, whichever is higher.

Preparing for the DUA Act

Organizations should begin preparing for the full implementation of the Act by:

• Familiarizing themselves with the new rules on automated decision-making and research to better align with evolving AI development.
• Reviewing their data processing practices, particularly around smart data schemes and digital verification.
• Ensuring compliance with ePrivacy laws and data subject rights.

While substantial changes to data protection frameworks are not required immediately, organizations should stay informed and proactive to take full advantage of the Act’s provisions and ensure continued compliance.

Conclusion

The Data (Use and Access) Act 2025 marks a major step forward in the U.K.’s data protection and digital verification landscape. It aligns with international standards like the GDPR but also opens new avenues for innovation, particularly in AI, smart data, and digital verification services. Businesses should remain vigilant, staying up to date with secondary regulations and prepare for the upcoming changes that will impact their data handling practices.