When the main provisions of the Data (Use and Access) Act 2025 came into force in February, the dominant narrative was relief. Cookie consent requirements had been relaxed, a new lawful basis removed the need for a balancing test in defined circumstances, the rules around subject access requests gave organisations more room to seek clarification before the clock started running. After years of watching reform legislation stall in Parliament, something had finally passed and it was broadly friendlier than what had come before.

That narrative is accurate, as far as it goes. The problem is that many organisations have stopped there and filed the Act under “nothing urgent to do.” Three months on, that assessment is difficult to defend.

Where the Act does reduce the burden

The cookie changes are the clearest genuine simplification. Five categories of cookie are now exempt from consent requirements: analytics, security, functionality, software update and interface customisation. The analytics exemption is the most commercially significant. Organisations using cookies solely to collect aggregate statistics for service improvement can now operate on an opt-out model rather than seeking prior consent, provided three conditions are met: the use is explained clearly, opt-out is straightforward and the data cannot be used to identify individual visitors. This removes a real friction point for many businesses. The exemption does not extend to advertising as any cookie used for advertising purposes still requires consent and the ICO has been explicit on this point.

The new “recognised legitimate interests” lawful basis is more limited in practice than early commentary suggested. It removes the balancing test for a specific list of purposes set out in a new Annex 1 to the UK GDPR: national security, public security and defence; responding to emergencies; investigating crime; safeguarding vulnerable individuals; and disclosures to public bodies carrying out public tasks. These are narrowly defined and the basis is unavailable to public authorities. For most commercial organisations, the practical effect is modest but for those whose processing does fall within Annex 1, the documentation burden is genuinely reduced and ROPAs can be simplified accordingly.

The subject access request changes allow organisations to pause the one-month response clock while waiting for clarification when a request is broad and large volumes of data are held. This is a useful provision and it requires a documented process to use safely. The clock-stopping mechanism needs to be built into SAR handling procedures, not just known about in principle.

Where the risk profile has changed

The PECR fine increase has received far less attention than it deserves. From 5 February 2026, the maximum penalty for breaches of the Privacy and Electronic Communications Regulations rose from £500,000 to £17.5 million, or 4% of global annual turnover, whichever is higher. That is a 35-fold increase in the penalty ceiling for failures around email marketing, cookies and electronic communications.

PECR has been treated by many organisations as the lower-stakes regulation. Cookie banners get configured once and left. Email consent records are rarely audited with the rigour applied to UK GDPR documentation. Marketing suppression lists get updated inconsistently. The assumption has been that the downside was containable. That assumption no longer holds.

The DUAA also expanded who can be held liable under PECR. “Instigators” of cookie violations, organisations that direct or procure the placing of cookies, not just the service that places them, are now directly in scope. This brings more participants in the digital advertising and AdTech ecosystem into the ICO’s enforcement reach.

The automated decision-making change nobody is planning for

The DUAA repeals Article 22 of the UK GDPR and replaces it with four new provisions. This is the sharpest point of divergence yet introduced between UK and EU GDPR and it has significant implications for any organisation operating across both jurisdictions.

Under the old regime, solely automated decision-making producing legal or similarly significant effects on individuals was prohibited by default. Three narrow exceptions permitted it: contractual necessity, authorisation by law, or explicit consent. Under the new UK rules, organisations can rely on other lawful bases, including legitimate interests, for automated decision-making that does not involve special category data. The safeguards remain: notice of automated decisions, the right to contest them and human review on request. What has changed is the default position: processing that was prohibited unless an exception applied is now permitted if safeguards are in place.

For organisations operating in both the UK and EU, this creates a compliance split that a single policy can no longer bridge. EU obligations under GDPR Article 22 have not moved. UK and EU processes for automated decision-making now need to be tracked separately.

What changes on 19 June

A second tranche of DUAA provisions arrives on 19 June 2026. Organisations must have a formal complaints-handling process in place: an electronic complaints form, a 30-day acknowledgment requirement and a commitment to respond without undue delay. For organisations already handling data protection complaints through a documented process, this requires little adjustment. For those whose complaints arrive informally into general inboxes, handled ad hoc, without consistent response timelines, this creates a gap that now carries legal weight.

Also from 19 June, organisations providing online services likely to be used by children face an explicit obligation to account for children’s needs when making decisions about personal information use. The ICO’s enforcement posture makes the stakes clear. Reddit was fined £14.47 million in February 2026 for failing to protect children’s data, the largest fine ever issued under the ICO’s children’s privacy enforcement programme. MediaLab was fined £247,590 for equivalent failures at smaller scale. The Children’s Code has been in force since 2021 but the DUAA brings children’s data obligations into the core of UK GDPR rather than treating them as a separate regime.

What the ICO’s new powers mean for regulatory engagement

From February, the ICO gained materially stronger investigation tools. It can now issue document production notices requiring specific documents rather than categories of information, compel organisations to appoint an approved person to report on specified topics for example, conducting forensic analysis of a data breach and require employees or managers suspected of wrongdoing to attend interviews.

These powers change the dynamic of any regulatory interaction. Previously, organisations had more control over the scope of what they disclosed during an investigation. That control has narrowed. Privacy teams and DPOs need to understand the expanded toolkit, not because an investigation is likely, but because regulatory engagement strategy should be calibrated to the current enforcement environment, not the previous one.

The review most organisations haven’t done

A structured DUAA assessment covers five areas: reviewing privacy notices and ROPAs to reflect any changes in lawful basis; auditing cookie implementation to determine which exemptions now apply and whether consent architecture needs updating; reviewing SAR handling procedures to document the clarification process and clock-stopping mechanism; assessing PECR compliance against the higher penalty landscape; and ensuring the complaints-handling process meets the 19 June requirements.

None of this is technically complex. All of it requires time, privacy expertise and a methodical approach. Most organisations that intend to complete this review have not yet done so. The difference between those who have treated February’s commencement as a trigger for a structured assessment and those who absorbed the simplification narrative and moved on is now measurable in documentation gaps, unreviewed PECR exposure and processes that will not be ready for June.

The DUAA is not finished arriving yet.