From cookies to complaints: compliance and enforcement under the Data (Use and Access) Act 2025

Changes Introduced by the Act  

Recognised Legitimate Interests Lawful Basis

The Act introduces a new lawful basis of processing as “recognised legitimate interests,” which includes processing for specific purposes such as security, emergencies, crime prevention, safeguarding, defence, and responding to requests from public bodies, and removes the need for organisations to balance the impact on the people whose personal data is being used, against the benefits arising from that use.

Automated Decision-Making

Regulations on automated decision-making were previously strict, with only a few lawful bases available and the practice generally prohibited. The Act eases these restrictions, allowing each lawful basis to be used for automated decision-making, provided that safeguards are applied. These safeguards are for transparency, explainability and contestability.  

According to the Act, automated decision-making refers to decisions based solely on automated processing, with no meaningful human involvement. The restrictions are as follows:

‍

1. Where a significant decision is being made (i.e. one with legal or similarly significant effects on the data subject), it must not be made solely through automated decision-making unless one of the following exceptions applies:
   
   • The data subject has given explicit consent;
   • The decision is necessary for entering into or performing a contract with the data subject; or
   • The decision is authorised by law or made in the substantial public interest.

2. Where significant decisions are made solely through automated processing, the following safeguards must be in place:
   
   • The individual must be provided with relevant information;
   • The individual must be able to make representations;
   • The individual must be able to obtain human intervention; and
   • The individual must be able to contest the decision.

Enforcement

The maximum fines under PECR will now match those under the UK GDPR: the higher of £17.5 million or 4% of global annual turnover. Previously, the maximum fine was £500,000, so this represents a significant increase in enforcement power. This change does not apply to any breaches of the duty to notify the ICO of personal data breaches under PECR.

International Transfers

The Act introduces a new test for assessing whether another country’s data protection standards are “not materially lower” than those in the UK. Previously, the standard required “essentially equivalent” data protection to that offered in the UK. This new test is therefore slightly less stringent.

Complaints

The Act introduces a new requirement for organisations to enable individuals to make complaints about breaches of data protection law. To comply, data controllers must:

• Take steps to enable individuals to submit complaints (e.g. by making a form available);
• Acknowledge complaints within 30 days of receipt; and
• Respond appropriately and without undue delay, informing the individual of the outcome of the complaint.

Cookies

Under the new Act, certain cookies may be set without user consent if they are used for:

• Statistical purposes to improve the website or services;
• Website functionality; or
• Providing emergency assistance.

AI and Copyright

Section 136 of the Act requires the Government to publish a report on the use of copyrighted works in AI development within nine months of the Act’s passing. This follows a compromise after the House of Lords attempted to include provisions relating to the use of copyrighted works in AI development within the Act, which the Government initially rejected.

Data Subject Access Requests

Where a data controller requires further information to identify an individual’s data in relation to a Data Subject Access Request (DSAR), they may request it from the individual. While awaiting this information, the one-month response timeframe is paused. Additionally, searches conducted in response to a DSAR must be “reasonable and proportionate”.

When Will the Provisions Come into Force?

The Act’s provisions will be implemented in three phases:  

1. Some provisions, including those relating to law enforcement and intelligence services under Parts 3 and 4 of the Data Protection Act 2018, came into force upon Royal Assent on 19 June 2025;
2. Additional provisions will come into force on 19 August 2025; and
3. The requirement that DSAR searches be reasonable and proportionate is backdated to 1 January 2024 and applies retroactively to requests made before the Act’s passage.

Comment

In preparation for the provisions coming into force on 19 August 2025, organisations should review their existing data handling policies to ensure compliance with the Act’s transparency requirements. Policies should be updated where necessary, and staff should be trained to implement them effectively. One provision to note is the requirement for organisations to assist individuals who wish to make a complaint about a data breach.