UK GDPR & DUAA: 2026 changes explained
The UK Data Use and Access Act 2025 changes cookie consent for analytics and adds a mandatory pre-ICO complaints procedure from June 2026.
What the Data Use and Access Act 2025 Means for Your Cookie Consent and Data Complaints
Most UK data protection updates are incremental. The Data Use and Access Act 2025 (DUAA) is different. It quietly shifts one of the most contested rules in UK digital marketing: when you actually need someone to opt in to analytics cookies. At the same time, it introduces a structured complaints process that every business handling personal data now needs to prepare for.
In this post, we’ll break down exactly what changed, why it matters for your website, and what practical steps to take before the key deadlines.
Key takeaways
- The DUAA received Royal Assent on 19 June 2025, updating the UK GDPR and related privacy law.
- Analytics and optimisation cookies used strictly for statistical purposes can now operate on an opt-out basis, rather than requiring prior opt-in consent.
- A clear opt-out mechanism must be visible and easy to use whenever analytics cookies are placed without prior consent.
- From 19 June 2026, consumers must submit a data protection complaint to your business before they can escalate to the ICO.
- Organisations must acknowledge these complaints within 30 days and manage them through a documented process.
- These changes do not replace UK GDPR: the same data protection principles still apply.
What is the Data Use and Access Act 2025?
The Data Use and Access Act 2025 (DUAA) is a UK law that received Royal Assent on 19 June 2025. It does not replace UK GDPR or the Data Protection Act 2018. Instead, it amends them in specific areas to reduce friction for businesses while maintaining the core framework of data protection.
The Act covers a wide range of topics, from automated decision-making to smart data schemes. For most websites and digital teams, two changes are immediately relevant:
- Cookie consent exemptions for low-risk analytics tracking.
- A mandatory complaints procedure before users can escalate grievances to the ICO.
The changes to data protection law will come into force in stages, between two and twelve months after Royal Assent. The complaints procedure takes effect on 19 June 2026.
How the DUAA changes cookie consent in the UK
Under UK GDPR as originally applied, most non-essential cookies, including analytics cookies, required explicit opt-in consent before being placed. This meant users had to actively agree before a tool like Google Analytics could fire.
The DUAA adjusts that. Section 8 of the Act (Storage and Access Technologies) allows the use of cookies without prior opt-in consent in certain low-risk situations. Analytics and website optimisation cookies used strictly to gather statistical data are the primary use case.
What qualifies as low-risk analytics?
The exemption applies when all of the following conditions are met:
The cookies are used solely to gather statistical data about website use.
They are not used for advertising, profiling, or cross-site tracking.
A clear and easy-to-use opt-out mechanism is visible to the user at all times.
This is not a blanket removal of consent requirements. Cookies used for advertising, retargeting, or behavioural profiling still require prior opt-in consent under UK GDPR. Only genuinely low-risk, statistical analytics tools qualify.
From opt-in to opt-out: what it means in practice
Before the DUAA, your consent banner had to block analytics cookies until the user clicked "Accept." Under the new rules, analytics cookies can be placed on the first visit, as long as users have a clear and free way to object. Your cookie consent banner needs to prominently display an opt-out option, not just an accept button.
This is a meaningful improvement for analytics data quality. Opt-in consent models typically result in significant under-reporting. According to research from the ICO, consent rates on many websites remain below 50%, which means businesses have been operating with a heavily skewed picture of user behaviour. The DUAA's opt-out model for low-risk analytics should allow for more representative data.
Cookie consent model: before and after the DUAA
Cookie type | Before DUAA | After DUAA |
|---|---|---|
Strictly necessary cookies | No consent needed | No consent needed |
Analytics / statistical cookies | Opt-in required | Opt-out (with visible mechanism) |
Marketing/advertising cookies | Opt-in required | Opt-in required (unchanged) |
Personalisation/profiling | Opt-in required | Opt-in required (unchanged) |
The new mandatory data protection complaints procedure
The second major change for businesses is a new formal complaints process. Under Section 7 of the DUAA, from 19 June 2026, individuals who believe their personal data has been handled incorrectly must submit a complaint directly to the organisation before they can escalate to the Information Commissioner's Office (ICO).
This is a significant shift. Previously, users could go straight to the ICO with a data protection complaint, regardless of whether they had raised it with the business first. The DUAA creates a pre-escalation requirement that gives organisations the opportunity to resolve issues directly.
What does the complaints procedure require?
Organisations subject to UK data protection law must:
Provide a way for individuals to submit a data protection complaint (including electronically, such as a web form or email address).
Formally acknowledge the complaint.
Respond to or update the individual on the outcome within 30 days.
Maintain records of complaints and how they were handled.
The ICO will be publishing further guidance on how to set up a compliant process. The ICO's guidance page is the authoritative source for updates as they are released.
Why this matters beyond the headline
Think of it like a formal grievance procedure in employment law. The pre-ICO complaint step creates a structured record of how your business handles data concerns. If a complaint does eventually reach the ICO, having a documented response trail shows that you took the matter seriously and followed a proper process.
For teams without a formal case management workflow, this is the right moment to put one in place.
Clym's Governance Portal includes case management functionality designed for exactly this. When a data protection complaint comes in, it is logged as a distinct case type in your back-end dashboard. Your privacy team can track progress, log communications, and close the case with a complete audit trail, all without needing to build a custom workflow.
What your team should do before June 2026
You have a clear runway. Here is a practical checklist to work through:
Review your analytics cookie setup. Confirm whether your analytics tools (Google Analytics, Microsoft Clarity, or similar) meet the DUAA's low-risk criteria. If they do, work with your consent platform to configure an opt-out model for UK visitors.
Update your consent banner. Your UK cookie notice needs to present a visible, easy-to-use opt-out mechanism. An "Accept" only banner is not sufficient under the new rules.
Set up a complaints intake process. This needs to be in place before 19 June 2026. At minimum, you need a dedicated contact point (an email address or form), a documented acknowledgement process, and a 30-day response commitment.
Train your privacy team. Whoever handles DSRs should also own the complaints process. They need to know the intake steps, the 30-day clock, and how to escalate internally.
Document everything. The complaint record, the acknowledgement, your investigation steps, and the outcome. This is your evidence trail if the ICO ever reviews how you handled a case.
Conclusion
The Data Use and Access Act 2025 is the most significant update to UK cookie law since the original PECR rules came into force. For analytics teams, the move to an opt-out model for low-risk statistical cookies is a practical improvement that should produce better, more representative data. For privacy and compliance teams, the mandatory complaints procedure is a new operational requirement with a hard deadline.
The good news is that neither change requires a ground-up rebuild of your compliance setup. With the right consent management configuration and a structured case management process, your team can adapt without significant disruption.
The key is to act before June 2026, not after.
Frequently asked questions
The Data Use and Access Act 2025 (DUAA) is a UK law that received Royal Assent on 19 June 2025. It amends UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 in specific areas, including cookie consent rules and data protection complaints handling. It does not replace UK GDPR.
Analytics cookies used strictly for statistical purposes can now be placed without prior opt-in consent, provided a clear and free opt-out mechanism is visible to users. Cookies used for advertising, profiling, or cross-site tracking still require opt-in consent under UK GDPR.
The mandatory pre-ICO complaints procedure takes effect on 19 June 2026, one year after the DUAA received Royal Assent. From that date, individuals must submit a complaint to the organisation before escalating to the ICO.
The DUAA requires the opt-out mechanism to be clear, visible, and free, meaning users must be able to object without having to navigate through menus or take multiple steps. The ICO will publish specific guidance on what constitutes a compliant opt-out mechanism.
Any organisation that processes personal data in the context of UK residents, including analytics data collected via cookies, is subject to UK GDPR and the DUAA. This applies regardless of where the organisation is based, provided its activities are directed at people in the UK.
At a minimum, you need a documented way for individuals to submit a data protection complaint (such as a web form or email address), a process for acknowledging complaints, and a 30-day timeframe for responding with an outcome. Records of all complaints and responses should be maintained as part of your compliance documentation.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
