On 5 February 2026, significant changes to UK data protection law took effect under the Data Use and Access Act 2025 (“DUAA”). DUAA is designed to simplify and streamline various elements of the UK GDPR and the Privacy and Electronic Communications Regulations. Additionally, it introduces new obligations for companies operating in the UK, making it crucial for organisations to stay informed about the updated requirements.

The primary changes which took effect from 5 February 2026 include:

• Enhanced protections for children
• A new legal basis for “recognised legitimate interests”
• Updates to the rules on data subject access requests
• Expansions to the scope of automated decision-making
• Modifications to cookie consent requirements.

Below, we’ll explain what these changes mean in practice.

Strengthening protection for children

One of the most important changes introduced by DUAA is the implementation of additional protections for children using online services. Companies offering services likely to be used by children are now required to consider specific “children’s higher protection matters,” such as:

• Measures to protect and support children while using the service
• Recognition that children need special protection regarding their personal data, as they may not fully understand the risks associated with data processing or their rights in relation to it
• Acknowledging that children’s needs vary by age and developmental stage.

These updates build upon the existing GDPR requirement for companies to apply data protection by design and default. Specifically, DUAA formalises the ICO’s Children’s Code, making it a legal obligation for service providers to consider children’s needs when designing their platforms. Companies should review their product designs, age-verification methods, and Data Protection Impact Assessments (DPIAs) to comply with these changes.

A new legal basis: recognised legitimate interests

The DUAA introduces a new lawful basis for processing personal data under the UK GDPR – “recognised legitimate interests.” This new basis applies to specific activities such as:

• Crime prevention
• Safeguarding vulnerable individuals
• Responding to emergencies
• Protecting national security
• Supporting public interest tasks, as defined by law.

This new framework is intended to give businesses more confidence when processing data for these purposes, without the need to conduct a detailed legitimate interests assessment. However, it’s important to note that while this provides more clarity, the processing activities still must align with the principles of transparency and necessity outlined in the UK GDPR.

Additionally, DUAA outlines a non-exhaustive list of activities that may also be covered by legitimate interests, such as direct marketing, internal data sharing within organisations, and network and information security. However, in these cases, companies will still need to conduct a legitimate interests assessment.

Simplified Data Subject Access Requests

DUAA introduces new provisions regarding data subject access requests (DSARs), confirming that data controllers may pause the clock while awaiting further information from data subjects to clarify the scope of a request. This formalises existing case law and ensures that searches are reasonable and proportionate, a requirement that was not explicitly required under previous law.

DUAA also requires that companies establish a process for handling complaints from data subjects. This change will take effect later this year (on 19 June). To prepare, organisations should update their privacy notices to include information about the complaints process and make it easy for individuals to submit complaints (e.g., by providing an online complaint form).

Expanding the scope of automated decision-making

One of the more groundbreaking reforms of DUAA is the expansion of automated decision-making. This change aims to support the growing use of automation in business and government operations by allowing for broader applications of fully automated decision-making systems.

Previously, UK law largely prohibited automated decision-making unless specific conditions were met. The government argued that these rules were overly complex and hindered the beneficial use of automation. DUAA reforms simplify these rules by:

• Limiting strict regulations to the processing of special category data (a more sensitive type of personal data), which departs from the EU’s approach
• Specifying the safeguards that must be in place for a company to make significant decisions solely based on automated processing. These include:
  • Providing individuals with information about the decision(s)
  • Allowing individuals to challenge automated decisions
  • Ensuring that a human review is available when needed.

Updates to cookie consent

DUAA introduces new exemptions from the requirement to obtain consent for certain types of cookies. These exemptions apply to cookies that pose a low risk to user privacy, such as:

• Analytics cookies used to collect statistical data for improving website performance
• Functional cookies that enhance the user experience
• Security cookies designed to prevent or detect fraud.

While these cookies no longer require explicit user consent, businesses must still provide clear information about their use and offer an easy-to-use opt-out mechanism. These changes align with how the ICO is already enforcing cookie consent.

It’s important to note that the potential penalties for non-compliance with cookie consent rules are now aligned with UK GDPR penalties (the maximum fine is the higher of £17.5 million or 4% of worldwide turnover for serious infringements, and for less severe infringements like poor record-keeping, it’s £8.7 million or 2% of turnover), which are more significant than the £500,000 maximum fine under the previous regime.

Next steps and implementation

The reforms introduced by DUAA will be phased in over time, with major changes having already taken effect on 5 February 2026. Some provisions, such as the requirement to conduct a “reasonable and proportionate” search for data subject access requests, already came into force in 2025. Additionally, later this year, further reforms will be introduced, including a statutory right for data subjects to file complaints with controllers regarding the processing of their data.

Data controllers are required to respond to complaints within the designated timeframe of one month or three months, depending on whether the request is complex. The immediate effect of this new right is that controllers should now include it in their privacy notices and provide accessible channels for submitting complaints.

Here are some steps you can take as a business to implement these new changes:

• Update Privacy Notices to reflect new rights, obligations, and cookie rules.
• Protect children’s data by implementing age verification and child-friendly privacy settings.
• Ensure compliance with the new “recognised legitimate interests” basis.
• Establish clear processes for access requests and complaints.
• Implement automated decision-making safeguards and provide transparency, allow challenges, and enable human review where necessary.
• Ensure transparency and provide opt-out options for low-risk cookies.
• Train staff on new DUAA requirements.
• Update assessments for high-risk activities, especially involving children or automation.
• Strengthen cybersecurity measures and data protection practices.
• Monitor regulatory updates and guidance from the ICO.
• Update data sharing contracts to align with new legal bases and cross-border data rules.
• Keep thorough records and be ready for audits.

Conclusion

As these changes unfold, it is essential for companies to stay informed and ensure compliance with the updated regulations to avoid penalties and build customer trust. The Information Commissioner’s Office (soon to change its name to “Information Commission”) will provide practical, regularly updated guidance on the changes DUAA is introducing, and this will be the starting point for businesses seeking information on this topic.

Contact our employment law solicitors today

If you require further assistance on this matter, our team at Ashtons Legal is happy to help. Please contact a member of our Employment Law team. You can use our online enquiry form or call 0330 191 5713.