Introduction
The Data (Use and Access) Act 2025, commonly known as the Access Act 2025, is the UK’s most substantial data regulation update since the UK GDPR took effect. The Act aims to simplify compliance while fostering innovation and economic growth across the UK economy, modernizing rules around data sharing, digital verification services, smart data schemes, and significant amendments to data protection and privacy law.
For most businesses, the practical impact centers on processing personal data compliantly: handling subject access requests, managing cookies and direct marketing, responding to data protection complaints, navigating automated decisions, and managing international transfers. This article is written for UK businesses and international Shopify merchants who need a concise, practical roadmap as DUAA provisions are phased in through 2025β2026. The focus is on concrete dates, obligations, and action points rather than legal theory.

Structure and Scope of the Data (Use and Access) Act 2025
DUAA is a wide-ranging framework with seven parts. It covers smart data initiatives, digital verification services, the national underground asset register, and substantial changes to UK data protection requirements. Part 5 is the central section for data controllers and processors, as the Act introduces amendments to the UK GDPR, the Data Protection Act 2018, and the electronic communications regulations that govern everyday data use and access practices.
Key structural highlights include:
- A restructured ICO (eventually to become the “Information Commission”) with enhanced governance, clearer objectives, and stronger enforcement powers
- A more flexible data protection test for assessing international data transfers and adequacy decisions
- New recognized legitimate interests as a lawful basis, direct complaint rights for data subjects, and a codified standard for DSAR reasonable and proportionate searches
- Frameworks for smart data schemes and digital verification services that create new regulated data flows
Implementation Timeline and Key Compliance Dates
The UK government is phasing DUAA into force via multiple Commencement Regulations. Organizations are required to align their practices with the new Data (Use and Access) Act 2025 requirements by August 2025 for initial provisions, with the full regime operational by mid-June 2026.
Stage | Date | What Takes Effect |
|---|---|---|
Royal Assent | 19 June 2025 | Act passed into law |
Commencement No. 1 | 20 August 2025 | Smart data provisions, new ICO objectives, AI/copyright reporting |
Commencement No. 4 | 1 December 2025 | Part 2 (digital verification) provisions |
Commencement No. 6 | 5 February 2026 | Major Part 5 data protection reforms: DSARs, ADM, PECR penalties, cookies |
Final stage | 19 June 2026 | Controller complaints handling obligations |
Organizations should use 2025β2026 to map processing activities, update records, and align cross-border data transfers with the new adequacy and risk-assessment requirements. Some DSAR clarifications took effect in February 2026, meaning businesses needed to adapt handling flows earlier than other obligations.

Core Data Protection Changes Under DUAA
This section covers the headline changes that affect day-to-day UK data protection compliance. While DUAA aims to simplify and clarify data protection law, it also creates a significant shift and divergence from EU GDPR, meaning dual compliance complexity for organizations operating in both the UK and the European Union. For further details on managing both regimes, see this guide on complying with UK GDPR and EU GDPR at the same time.
Automated Decision Making: A Narrower but Stricter Regime
The DUAA narrows the prohibition on automated decision-making by replacing Article 22 of the UK GDPR with new Articles 22AβD. Under the updated rules, the outright prohibition now concentrates solely on automated decisions with legal or similarly significant effects based on special category data (such as health, ethnicity, or biometrics), which still require explicit consent or specific legal provision.
For significant automated decisions using non-special-category data, such as credit scoring, fraud checks, or dynamic pricing, the regime is more permissive. Significant automated decisions now include legitimate interests as a basis, along with other lawful bases except recognized legitimate interests. However, organizations must provide transparency in automated decision-making processes and ensure individuals can challenge automated decisions affecting them under DUAA. These automated decision-making rules diverge from EU regulations under DUAA.
Practical steps for Shopify merchants and online services:
- Conduct a register of all automated decision-making systems and AI systems (fraud scoring, order auto-decline, personalized pricing)
- Update privacy notices with clear information about automated processing and the right to human review
- Build workflows that allow customers to contest decisions
- Never use special category data in automated decisions without explicit justification
Recognized Legitimate Interests and Lawful Bases
DUAA introduces recognized legitimate interests as a new legal basis under Article 6(1)(ea), distinct from standard legitimate interests. This narrower category applies to five pre-approved public interest purposes where no balancing test against individual rights is needed:
- Crime prevention and detection
- Safeguarding vulnerable individuals
- Responding to emergencies
- National security and public security
- Disclosures in the public interest or exercise of official authority
For standard commercial uses, analytics, behavioral advertising, and personalized marketing, organizations still need to conduct traditional legitimate interest assessments. Update internal records of processing activities to flag where recognized legitimate interests apply, and maintain standard assessments everywhere else. Don’t over-stretch recognized legitimate interests beyond the specific statutory list.
The Act also clarifies that, in some cases, personal data can be used for scientific research without new privacy notices, providing organizations with further details on when certain exemptions apply.
Data Subject Access Requests: “Reasonable and Proportionate” Standard
DUAA codifies existing ICO guidance on data subject access requests: data controllers must conduct reasonable and proportionate searches for personal data. The ICO updated its Right of Access guidance for DSARs to reflect these changes. The DUAA also allows a stop the clock provision for DSARs-when identity verification information is needed from the requester, the response clock pauses until the controller receives it.
In practice, proportionate searches mean:
- Focusing on core business systems (Shopify backend, email marketing platforms, consent records from tools like Pandectes)
- Placing time and scope limits when requests are extremely broad
- Documenting why certain data locations were excluded from the search
- Responding without undue delay and within statutory deadlines
For a deeper dive, see this guide to understanding and handling data subject access requests. Implement standard DSAR workflows, templates, and automation where possible. Ensure that any limits to searches are always explained clearly to the requester.
Direct Complaints to Data Controllers
The Act introduces a new right for consumers to complain directly to data controllers about data protection issues, before or in addition to contacting the Information Commissioner’s Office. Organizations must implement complaint-handling procedures by June 2026. The ICO will release updated guidance on complaints handling in Winter 2025/2026, and the Act requires businesses to implement formal internal complaints procedures for data protection issues.
To prepare:
- Update privacy notices, cookie policies, and customer support scripts to inform individuals of their right to complain
- Organizations must provide clear information on how to submit complaints, including email addresses, web forms, or in-app mechanisms
- Acknowledge complaints within 30 days and respond without undue delay
- Track outcomes as part of accountability documentation
Many disputes can be resolved at the controller level, potentially reducing the need for regulatory investigations when handled well. Integrate complaint handling with existing helpdesk tools and train support teams on the process.
PECR, Cookies, and Direct Marketing Under DUAA
DUAA significantly updates PECR to align fines and enforcement powers with UK GDPR levels. The Information Commissioner’s Office now has enhanced penalty powers under the Privacy and Electronic Communications Regulations, meaning fines for cookie violations can reach Β£17.5 million or 4% of global turnover, a dramatic increase from the previous Β£500,000 cap.
The Act allows low-risk cookies without explicit consent. Cookies for statistical purposes may not require consent if they meet strict criteria: aggregate data only, no individual profiling, no advertising, and a simple opt-out is offered with clear notice. Mixed-use technologies (analytics plus advertising) still require consent for non-exempt purposes. For more on how analytics cookies work under evolving rules, review updated guidance regularly.
Organizations must also report data breaches within 72 hours, in line with the UK GDPR standard. Adjust incident response plans accordingly.
Compliance actions for e-commerce businesses:
- Audit all tracking technologies (cookies, pixels, fingerprinting, tags) and classify by purpose
- Align implementation with a consent management platform such as Pandectes, which automates cookie consent banners, consent logs, and regional rules
- Review direct marketing practices to ensure PECR consent or soft opt-in requirements are met
- Update electronic communications and marketing opt-out mechanisms

International Data Transfers and UK Adequacy After DUAA
The Act simplifies aspects of the UK’s international transfer regime by introducing a more flexible data protection test for assessing third-country regimes. Under this test, a country’s protections need not be essentially equivalent to UK standards-they must simply not be materially lower. This can speed up adequacy decisions and ease some transfer risk assessments for UK-based controllers.
However, adequacy decisions may diverge between the UK and the EU over time. The Data (Use and Access) Act 2025 aims to maintain EU data adequacy while reducing administrative burdens, but businesses must prepare for possible future adjustments to EU-UK data flows. Organizations must ensure adequate protection when transferring data and maintain appropriate safeguards regardless of the mechanism used.
For global merchants, practical compliance means:
- Map all cross-border data transfers (Shopify, cloud hosting, payment providers, analytics tools)
- Document transfer tools: adequacy decisions, SCCs, BCRs
- Maintain two parallel assessments-one for UK and one for EU GDPR-so you do not rely solely on UK adequacy if rules diverge
- Monitor regulatory guidance from both the ICO and the European Commission
To transfer personal data in compliance with UK and EU GDPR requirements, review this practical guide.
Smart Data and Digital Verification Services: New Opportunities and Risks
DUAA formally establishes frameworks for smart data schemes, enabling consumers to securely share their data with trusted third parties across sectors such as finance, utilities, and telecoms. The Act introduces “Smart Data Schemes” for secure data sharing in sectors like finance and energy, modeled on Open Banking.
Part 2 of the Act introduces digital verification services, allowing certified providers to offer digital identity verification reusable across online services. E-commerce businesses might leverage DVS to streamline age verification, KYC, or high-value transaction checks, but must still comply with DUAA’s protections around automated decision-making and special category data.
Organizations participating in these ecosystems must ensure robust data governance, clear customer consent, and alignment with the UK GDPR principles of data minimization and purpose limitation. Integrate these new data flows into processing records, DPIAs, and third-party risk assessments.
Children’s Data and Higher Protection Standards
The Act strengthens protections for children’s online data by adding “children’s higher protection matters” into the UK GDPR framework. Organizations must consider children’s privacy when designing services likely to be accessed by minors. Children’s data protection provisions align with broader global data protection trends, including the ICO’s existing Children’s Code.
Organizations processing children’s data must review their policies, particularly around:
- Age-appropriate design of interfaces and default privacy-protective settings
- Limited tracking, profiling, and targeted advertising for minors
- Clear information presented in child-friendly language
- Updated DPIAs specifically addressing children’s personal data
Shopify merchants selling toys, games, or youth fashion should treat children’s data as higher risk. For US-specific considerations, see this overview of children’s privacy laws.
Preparing Your Organization for DUAA: A Practical Compliance Roadmap
Moving from awareness to implementation requires a phased approach:
- Gap analysis: Map current processing against DUAA changes. Identify all ADM uses, review which lawful basis applies to each activity, audit your cookie and tracking stack, and check for scenarios involving children’s access.
- Governance updates: Revise privacy notices, records of processing, and data protection policies. Reflect new lawful bases, mention the direct right to complain to the controller, and outline ADM practices.
- Technical and organizational changes: Update DSAR-handling workflows, cookie categorization, marketing consent flows, and international transfer documentation. Take appropriate steps to implement complaint handling mechanisms before June 2026.
- Training and monitoring: Ensure legal, product, and marketing teams understand the changes. Schedule regular internal audits, subscribe to ICO draft guidance, and publish updated guidance announcements.
Treat DUAA as part of a global privacy program alongside EU GDPR, CCPA, LGPD, and other privacy laws, rather than a standalone project.
- No coding required
- Works with all Shopify themes
- Blocks tracking before consent
- Google Consent Mode v2 ready
- Trusted by 180k+ stores
- 2,900+ 5-star reviews
- Google CMP Partner
Pandectes and DUAA: Supporting UK and Global Shopify Stores
Pandectes already helps Shopify merchants comply with UK GDPR, EU GDPR, CCPA, LGPD, and other frameworks through cookie banners, consent tracking, and automated privacy controls. DUAA-related changes-higher cookie fines, DSAR standards, recognized legitimate interests, and children’s data protections-reinforce the need for accurate consent management and granular control over tracking technologies.
Specific Pandectes capabilities relevant to DUAA include providing access to Google-certified CMP status, region-aware banners for UK vs EU users, automatic store scanning to detect cookies and tags, multilingual notices, and detailed consent logs for accountability. As ICO guidance evolves, merchants can use Pandectes to simplify updates, minimizing manual changes to banners, preferences, or scripts every time rules shift.
DUAA compliance is ultimately an opportunity to build trust and improve user experience, while relying on purpose-built tooling to handle operational complexity in the background.
Conclusion
The Data (Use and Access) Act 2025 represents a significant shift in UK data regulation, one that demands attention from every organization processing personal data in the UK. The phased implementation through mid-2026 gives businesses time to adapt, but that window is closing. By running a gap analysis now, updating governance documents, and leveraging automated compliance tools like Pandectes, you can stay ahead at each stage of commencement and reduce compliance complexity. Treat DUAA not as an isolated obligation but as part of your broader global privacy stack, and you’ll be well-positioned for whatever regulatory guidance comes next.


