The Data (Use and Access) Act 2025 ("DUAA") received Royal Assent on 19 June 2025 and introduces significant amendments to the UK’s data protection regime, including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which govern direct marketing, cookies, and electronic communications.
Most, if not all, modern businesses use tracking technologies such as cookies, as well as electronic marketing communications. However, the enhanced enforcement powers introduced by the DUAA mean that it is more important than ever for organisations to ensure compliance with the complex legislative framework governing these practices.
The changes introduce increased risk of significant enforcement action
Although the amendments to PECR under the DUAA are not yet fully in force—pending secondary legislation from the UK Government—once implemented, the key changes will include:
- Increased maximum fines: Previously, PECR breaches were subject to a maximum fine of £500,000. The DUAA raises this significantly to align with UK GDPR levels: the higher of £17.5 million or 4% of global annual turnover.
- New and increased regulator powers: The DUAA grants the Information Commissioner's Office (ICO) enhanced enforcement powers, including the ability to compel witnesses to attend interviews and to request technical reports and audits.
- Active regulator enforcement: The ICO's 2025 Online Tracking Strategy confirms that misuse of online tracking practices (including cookies) is a key enforcement priority. The ICO’s enforcement action webpage also highlights that non-compliant direct marketing and fundraising practices remain a major focus, with monetary penalties already being issued. This is unlikely to change.
- Increased scope of PECR: The DUAA expands the scope of the cookies rules to include those who “instigate” the storage of or access to information on devices—not just those who place cookies. It also clarifies that the definitions of “call” and “communication” include all calls made and communications transmitted, regardless of whether they reach the intended recipient. This means a PECR infringement could occur even if a marketing message is not delivered or a cookie is not successfully applied.
The changes will also create greater flexibility
The DUAA also introduces greater flexibility for website operators and charities conducting fundraising:
- Additional exemptions for cookies: The Act will permit the placement of non-strictly necessary cookies without consent for limited purposes, such as collecting information for statistical purposes or to improve the functionality of the site. Organisations must still comply with transparency obligations and provide users with opt-out options.
- Soft opt-in for charities: The DUAA extends the soft opt-in exemption to fundraising communications. Charities will be able to send electronic marketing to individuals whose contact details were obtained when they supported or expressed interest in the charity's work—unless the individual opts out. For more information, see our article: Data Use & Access Bill: The Impact On Charities | MFMac.
How to prepare for change?
To avoid substantial fines or other enforcement action—as well as the reputational damage that can accompany regulatory scrutiny—it is vital that organisations audit their current marketing and cookies practices and address any compliance gaps.
Our expert Data Protection & Cybersecurity team regularly advises clients in these areas. We can help assess whether your current practices are compliant and, if not, support you in implementing a remediation framework.
