DUAA in 2026: what’s changed in UK data protection and privacy law?

From 5 February 2026, most key data protection changes under the Data (Use and Access) Act 2025 (DUAA) came into force and reshaped how UK organisations need to apply parts of the UK GDPR, the Data Protection Act 2018 and PECR in practice.  

The DUAA updates the UK privacy rulebook in a targeted way across a number of areas that many SMEs deal with every day including: cookies and tracking, automated decisions and children’s safeguards, with a strict new complaints handling requirement coming in June. 

If you’re responsible for customer, employee or website data, you should check what’s changed now and make sure your set-up and processes reflect it - especially where direct marketing and cookies are involved. 

While changes under the DUAA aim to streamline and simplify, the consequences of getting certain things wrong make this a significant governance and board-level priority. PECR fines (covering cookies and electronic direct marketing) can now reach UK GDPR levels - up to £17.5m or 4% of worldwide turnover, whichever is higher – raising the stakes for compliance. And tougher expectations on handling data protection complaints will follow in just a few months. You should start implementing changes now, but remember to check for new ICO guidance as it’s released so you’re aligned. 

Below is a brief overview of some key changes to know, what’s coming next, and examples of practical steps you can take to stay compliant.

Key DUAA changes for SMEs – UK GDPR and PECR updates

Most key updates came into force on 5 February 2026 and are now live. So now is the time to focus on compliance to avoid risk and damage to your reputation. Key focus areas include:  

Cookies and similar tracking

The DUAA makes targeted changes to cookie consent rules, which will matter if you use analytics tools on your website. 

• Some low-risk cookies may be used without consent in limited circumstances - for example, cookies used for statistics to improve your website or support certain functional requirements.  

• Where you rely on an exemption, remember to still offer an opt out and provide information about cookies.  

• Penalties under PECR can now be significantly higher and the ICO treats enforcement of breaches in this area seriously, so it’s important to treat cookie compliance as a real risk item, not just a marketing tweak.

Children’s data and child safety

The DUAA strengthens the focus on children’s protection in the UK privacy framework. Providers of online services likely to be accessed by children must now explicitly consider ‘children’s higher protection matters’ as part of their data protection by design approach. 

• If your service is likely to be accessed by children, you should assume higher scrutiny of your design choices, transparency and safeguards. 

• In practice, that means taking steps like ensuring privacy friendly default settings, age-appropriate privacy notice language, data minimisation and various other steps to show a true commitment to safeguarding children’s data.  

Automated decision-making and profiling

The DUAA adjusts how the UK rules apply to automated decision-making (ADM), which could impact some AI-driven decision-making. 

• Restrictions on solely automated decision-making have been relaxed in certain areas (unless special category data is involved), so long as safeguards are in place.   

• If you use tools such as automated scoring, screening or profiling which involve ADM remember to ensure safeguards, give information about how you make decisions, and let individuals challenge decisions and obtain human intervention. 

Lawful bases – legitimate interests

There is now a new lawful ground for processing personal data. 

• A new ground of “recognised legitimate interests” for defined activities is introduced, which can reduce some of the work around the balancing test.  

• For many commercial organisations, the practical significance of recognised legitimate interests might be limited. Examples of recognised legitimate interests cover things like using data for crime prevention, safeguarding and responding to emergencies. 

• For any processing outside narrowly defined recognised legitimate interests categories, you’re back to the usual legitimate interests approach, including the need for a full legitimate interests assessment.  

Enforcement and regulatory powers

The DUAA also strengthens the regulator’s toolkit. 

• Privacy compliance is becoming easier to test (by regulators, customers and investors) because expectations are being spelled out more clearly. 

• For some issues (notably PECR/cookies), the potential exposure is now materially higher, with higher possible fines and higher overall risk and cost of enforcement (investigation time, remediation work, reputational impact). 

Complaints handling – new controller obligations (June 2026) 

From 19 June 2026, businesses will need to have a way for people to raise data protection complaints - and a process to handle them properly. 

• You will need a complaints procedure that is compliant, accessible and effective in practice (not just a privacy inbox address). 

You’ll also need the ability to acknowledge and handle complaints within specific timeframes, with records of what you did and why.  

PECR, UK GDPR and the DPA 2018 are still in force and still mandatory. The DUAA doesn’t replace them; it amends them. So, remember to keep complying with these laws but understand how the DUAA’s changes impact your obligations under them. 

What you should do now

To keep your compliance actions manageable, focus on a set of practical actions that will bring your day-to-day compliance up to date. You don’t need to rebuild everything if you already have strong compliance in place, but you should revisit your policies and processes to align with DUAA changes and ICO guidance. You should also consider where your risk lies (eg. increased PECR fines) and take steps to mitigate those risks.  

• Run a DUAA impact audit check across your business (eg. website, marketing, HR, customer support, IT) to audit for potential actions. 

• Review your practical cookie use and tracking set-up (cookie policies, banners and preference centres) to reflect the updated PECR position – including transparency and opt-out controls where you rely on the new exemptions. 

• Refresh your privacy notices and other policies so they reflect any relevant DUAA changes. 

• Review any automated decision-making (including AI-driven scoring or screening) and make sure your activities are aligned with DUAA changes. 

• Strengthen your approach for children’s data if your service is likely to be accessed by them. 

• Prepare for a mandatory complaints route and internal process aligned with legal rules and train frontline teams on how to spot and escalate complaints. 

• Review third-party arrangements and contracts (processors/joint controllers, marketing platforms, customer support tools) so any changing responsibilities for compliance are clear. 

Remember the DUAA’s impact isn’t one-size-fits-all and depends on your business and its activities - so take legal advice to properly understand what to do.  

How our solicitors can support you

If you need support with any aspect of your privacy approach, do get in touch – our expert data protection solicitors can review your current position and help you put proportionate measures in place to stay compliant while supporting your business’s growth.  

You can keep on top of DUAA developments and guidance by following updates from the ICO – which is transitioning to the Information Commission governance structure under the DUAA – via its website, newsletters and consultations. 

We’ll also continue to share practical insights as the reforms roll out and new guidance lands, so you can stay ahead of what you need to change and when.