Data Use and Access Act – Key Takeaway
The UK’s new Data Use and Access Act 2025 (“DUAA“) is here getting Royal Assent on the 19th of June 2025, and it covers a broad set of changes to UK GDPR, DPA 2018 and PECR.
In this article I want to focus only on some important changes to the PECR rules that businesses like yours need to know about. These updates are especially relevant if you’re using analytics, experimentation or personalisation platforms.
You can read the legislation yourself in Schedule A1 and the rest of this blog is a short summary of what really matters from our point of view.
This applies specifically to UK-market websites. It’s also worth noting that some parts of the Act may be influenced by the UK’s adequacy decisions due later this year, so there’s still some moving parts.
First, the basics
PECR now clarifies that the term “website” doesn’t just mean websites. It includes mobile apps and any platform that carries out communications.
So yes, this means connected devices and IoT platforms are now in scope too.
Two key changes we’re most interested in
The first big shift is around consent for statistical purposes. And the positive news is that you may no longer require explicit consent to access or store information on a device for analytics platforms such as GA4 or Adobe Analytics.
This is a big win for anyone running analytics tools to measure website or app performance.
That said, implementation and configuration still matters. For example, GA4 should still be configured so that ad_storage and other non-statistical permissions are set to false unless the user has explicitly opted in.
The second change relates to website appearance and functionality.
The rule also allows access and storage to enable an enhancement of how your website or app looks or works without explicit consent. A lot of posts we’ve seen only mention this is permissible for user preferences but they miss the second condition, which allows for enhancement of the appearance or functionality in general.
This may open the door to experimentation platforms being deployed without needing users to opt-in first. As for personalisation activity, there will be nuance here, so ICO guidance on this will be important.
For both of these changes, you still have to inform users clearly and give them a simple, free way to opt out. So, while this change gives us a lot more flexibility, it still comes with some responsibility.
If you already have a decent Consent Management Platform in place, these changes are relatively easy to implement with significant positive impact.
The ICO isn’t messing around
The ICO’s powers have been strengthened. So if you get this wrong, the penalties are going to be much higher.
Therefore, it’s a good time to review your compliance approach.
When should you start making changes?
Not just yet!
The Act’s implementation is staggered, with different provisions taking effect 2, 6, and 12 months after Royal Assent.
The ICO is currently working on updated guidance for Direct Marketing and PECR, which they expect to publish in Winter 2025 / 2026. You can follow their guidance roadmap here.
What should you do now?
Start by speaking with your legal team or partners to get a clear understanding of what these and the broader changes of the Act may mean for your organisation.
Then take a good look at your current consent approach. If you’re still relying on outdated systems or worse, or if you’re not managing consent at all, now’s the time to get things sorted.
Would you benefit from some help and support?
We’ve helped a lot of clients roll out clear and compliant consent strategies.
If you want to talk through what’s changing and your best options, we’d love to help. Just get in touch.
This post does not constitute legal advice. Please consult your legal team for guidance specific to your business.
