The UK's Data Use and Access Bill June Updates
June 23, 2025
-
Blog

The UK's Data Use and Access Bill June Updates

By 
Benji Payne - Associate & Data Protection Specialist

The UK's Data Use and Access Bill: Not Earth-Shattering, But Worth a Look

Yesterday, the Data Use and Access Bill officially became law after receiving Royal Assent. And while it’s not quite the seismic data reform that’ll have compliance teams scrambling, there are a few bits worth knowing - especially if you’re already juggling UK GDPR, DPA 2018, and PECR compliance.

Here’s our take on what’s changed and why it matters (even if just a little), especially if you're keeping an eye on UK data protection law changes in 2025:

1. Bigger fines for cookie/campaign chaos

The fines under PECR (that’s the one that deals with marketing and cookies) are now aligned with the UK GDPR. That means significantly larger potential penalties of up to £17.5 million or 4% of global turnover.

Why does this matter? Because there’s often more enforcement activity under PECR marketing rules than under UK GDPR compliance, especially when it comes to cookie consent and marketing campaigns. If you’re cutting corners on consent or cookies, this is your gentle nudge to revisit those practices.

2. Legitimate interest assessments (LIAs) just got lighter

A handful of processing activities are now officially classed as recognised legitimate interests, which means you no longer need to go through a full Legitimate Interests Assessment (LIA) for them. That’s one less form to fill in, but only if you were doing it by the book to begin with.

If you’ve ever asked “Do I still need to complete LIAs in 2025?” this change is for you.

3. Automated decision-making rules diluted

Unless your automated decision-making involves special category data (think health, religion, etc.), you’re no longer caught by the same restrictions. Most businesses won’t notice the difference, but it simplifies things slightly for those using automation in decision-making flows.

This aligns the UK slightly differently from GDPR automated decision-making rules still enforced across the EU.

4. Subject Access Requests (DSARs): a bit more breathing room

The updates here are subtle but helpful:

  • You only need to do reasonable and proportionate searches.
  • The response clock pauses if you need to clarify or identify the request.
  • You now need to inform individuals if you’re withholding information under confidentiality or legal privilege exemptions (no hiding behind vague silence anymore).

It’s a small but meaningful update for organisations that regularly deal with Subject Access Requests (DSARs) in the UK.

5. Cookie rules (slightly) relaxed

The Bill introduces some minor exceptions for low-risk cookies i.e., those that aren’t intrusive. But don’t bin your cookie banners just yet as cookie consent UK 2025 rules still expect transparency and an easy opt-out.

Another nudge to stay on top of your PECR compliance checklist.

6. Scientific research provisions clarified

This one’s niche -unless you’re a research-heavy org or handling data for academic projects, it likely won’t move the needle for you. But if it does apply, it's a welcome bit of clarity for the scientific research provisions in UK data law.

What’s the bigger picture?

Honestly, the Bill itself isn’t a game-changer. But its passing is part of the UK’s ongoing attempt to “evolve” its post-Brexit UK data privacy law without jeopardising its adequacy decision with the EU. And with side-eyes already being cast over things like the UK’s interest in encrypted communications (cough Apple cough), we’ll be keeping an eye on how these developments sit with our friends in Brussels.

If you’re wondering “Does the new data law affect GDPR compliance?” - it probably doesn’t, drastically. But it’s another piece of the puzzle. And if you’re dealing with PECR, DSARs, or legitimate interest-based processing, it’s worth a second glance.

Need help navigating this?

We’ve got you. Whether it’s UK GDPR compliance, marketing campaign reviews, or making sense of the latest UK data protection law updates you can contact us here.

Data Protection
Regulation Updates
Next
Previous