Carol and Danielle provide an overview of the new Data (Use and Access) Act of 2025 (DUAA), passed in the UK as an amendment to its General Data Protection Regulation (UK GDPR) for the purpose of streamlining its requirements. The authors detail the various ways this act, introduced to balance regulatory efficiency with the preservation of consumers’ data privacy, “refines existing GDPR-based protections and expands both regulatory oversight and consumer empowerment.”
The authors discuss several ways that the DUAA maintains, as well as improves, consumer privacy protections and regulatory oversight. To begin, the act updates the standards for processing consumers’ personal data. While the full scope of the change will be clarified in forthcoming guidance, “at a minimum the act maintains the data processing protections contemplated by the UK GDPR.”
The act also expands consumers’ rights to lodge complaints and demand information about the collection and use of personal data. This includes specific protections for child safety measures and explicit clarification of the collection and use of children’s personal data, which Carol and Danielle emphasize is “particularly important given the rise of US lawsuits and reports highlighting the risks that social media poses to children’s mental health and safety.”
In addition, the act provides clarification regarding web cookies, including carving out certain cookies from requiring explicit consent. While this could cause concern among consumers, the authors note that the narrow language and seemingly limited application of the act “will likely maintain consumer control over their data and continue to require companies to seek consent for the use of cookies in most instances.”
The authors also highlight the importance of the act’s impact on regulatory oversight, as “the act significantly expands the enforcement mechanisms available to the ICO, now known as the Information Commission (IC).” The act allows the IC to require entities to prepare investigation reports regarding data security issues and to seek documents and testimony as part of its investigations and reviews. Through the IC’s increased regulatory power and the expansion of consumers rights under the act, the authors explain that “consumers will be better able to pursue collective or mass actions for claims, such as loss of control of data.”
Although the IC still needs to provide guidance on the many of the act’s practical effects, Carol and Danielle remark that the act is already “an evolution in the UK’s data protection landscape.” They conclude that “by clarifying data processing standards, tightening rules around secondary data use, and strengthening avenues for consumer complaints and enforcement, the act positions itself as a modernisation effort rather than a departure from established rights.”