UK Data Protection Reform Approved: Updates on the Data (Use and Access) Bill

On June 19, 2025, the UK Data (Use and Access) Bill received Royal Assent (approval from the king) and has now taken effect as the Data (Use and Access) Act 2025 (DUAA). As we reported in May 2025, the DUAA will make a number of changes to UK data protection legislation, which include clarifying how personal data can be used for research purposes, relaxing restrictions on some automated decision making, expanding the categories of cookies which may be used without consent, allowing charities to send email marketing without consent in some circumstances, requiring organizations to have a data protection complaints procedure, and introducing a new lawful basis of recognized legitimate interests.

The DUAA also provides the Information Commissioner’s Office (ICO), the UK data protection authority, with new powers. For example, the ICO can now compel witnesses to attend interviews and request technical reports. In addition, the DUAA increases the maximum fines for breaches of the Privacy and Electronic Communications Regulations (PECR) from £500,000 to £17.5million, or 4% of global turnover, in line with the UK General Data Protection Regulation. Direct marketing by email and SMS falls within the scope of PECR, as does the use of website cookies.

We will be reporting on the DUAA and what it means for companies in more detail in the coming days.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.