UK Data (Use and Access) Act 2025: Key Changes in 2026 Explained

16 April 2026

The UK’s data protection framework has undergone a significant update, with most provisions of the Data (Use and Access) Act 2025 now in force as of February 2026. Rather than replacing existing legislation, the Act refines and builds on the UK GDPR, the Data Protection Act 2018 and PECR, with practical implications for how businesses handle data day to day.

For many organisations, particularly those handling customer, employee or online user data, these changes go beyond compliance on paper. They affect contracts, internal processes and risk exposure in a more immediate and commercial way.

Cookies and Tracking: A Higher-Risk Area Than Ever

The Act introduces targeted changes to cookie rules, including limited exemptions for certain low-risk analytics and functional cookies. However, these are not a free pass, transparency and user opt-out mechanisms remain essential.

At the same time, enforcement risk has increased significantly. Fines for breaches of PECR (covering cookies and electronic marketing) can now reach the same levels as UK GDPR penalties. This elevates cookies from a “website issue” to a genuine legal and financial risk area.

For businesses, this means reviewing not just cookie banners, but also how third-party tools, analytics platforms and marketing technologies are deployed and documented.

Automated Decision-Making and AI

The rules around automated decision-making (including AI-driven processes) have been adjusted, with some relaxation of restrictions where appropriate safeguards are in place.

However, this does not remove risk. Businesses using automated tools for profiling, scoring or decision-making must still ensure transparency, allow for human review, and provide individuals with the ability to challenge outcomes.

As AI becomes more embedded in commercial operations, this is an area where legal, technical and contractual considerations increasingly overlap.

Children’s Data: Increased Scrutiny on Design and Use

There is a clear shift towards stronger protection for children’s data. Organisations providing services likely to be accessed by children must now actively consider enhanced safeguards as part of their data protection approach.

This goes beyond policy wording; it requires practical design decisions, such as default privacy settings, clear and age-appropriate information, and limiting data collection where possible. Regulators are increasingly focused on whether businesses can demonstrate these protections in practice.

Lawful Basis: Changes to Legitimate Interests

The Act introduces a new concept of “recognised legitimate interests” for certain limited activities, such as crime prevention or safeguarding. In these cases, businesses may not need to carry out the usual balancing exercise.

For most commercial activities, however, the standard legitimate interests test still applies. This means organisations must continue to carefully assess and document their reasoning, particularly where data use may not be obvious to individuals.

Stronger Enforcement and Complaints Handling

Regulatory expectations are increasing, both in terms of enforcement and accountability. Alongside higher potential fines, there is a growing emphasis on transparency and governance.

From June 2026, businesses will also be required to implement formal data protection complaints procedures. This includes clear processes, response timeframes and record-keeping, moving complaints handling into a more structured, auditable framework.

This is likely to require input from legal, compliance and operational teams to ensure processes work in practice, not just on paper.

Berry Smith’s Bottom Line

While the changes are not a complete overhaul, they do require a proactive review of existing practices. Key areas to focus on include:

· Reviewing cookie use, consent mechanisms and tracking technologies

· Updating privacy notices and internal policies

· Assessing any use of automated decision-making or AI tools

· Strengthening protections where children’s data may be involved

· Preparing for new complaints handling requirements

· Reviewing third-party contracts to ensure responsibilities are clearly allocated

Importantly, the impact of these changes will vary depending on the nature of your business, making a tailored approach essential.

Taking a proactive approach now can help avoid regulatory scrutiny, reduce dispute risk and ensure your contracts and processes are fit for purpose in an evolving data landscape.

If you have any queries or need any assistance relating to your businesses data protection, please do not hesitate to contact us at commercial@berrysmith.com or on 029 2034 5511.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.