The UK’s new Data (Use and Access) Act 2025 (DUAA) was granted Royal Assent on 19 June, initiating a phased rollout of regulatory changes that reshape how organisations collect, process, and deploy data. For CMOs and digital leaders, the Act offers both new freedoms and stricter liabilities — especially in the areas of cookies, consent, and campaign oversight.
According to the Information Commissioner’s Office, the DUAA represents “a smarter way to regulate” by simplifying lawful processing while reinforcing accountability. But marketers will need to update long-standing practices to take advantage of the changes.
One of the most significant reforms is the removal of consent requirements for certain low-risk cookies, such as those used for UX improvements or basic analytics. As outlined in Mayer Brown’s PECR briefing, this shift allows organisations to simplify their cookie banners and reduce friction on digital properties — though opt-outs remain necessary for tracking and profiling tools.
At the same time, the DUAA imports a statutory definition of “direct marketing” into both PECR and the UK GDPR. This change, detailed in a Lexology briefing, offers greater clarity over what constitutes a marketing message, and therefore what permissions are required. For charities, a newly introduced ‘soft opt-in’ permits email outreach to existing supporters without explicit consent — a shift that could influence not-for-profit engagement strategies.
The Act also introduces a new lawful basis for processing under Article 6(1)(ea) of the UK GDPR, known as “recognised legitimate interests.” These cover public-interest scenarios — like fraud prevention and safeguarding — and no longer require a full Legitimate Interest Assessment. For CMOs, this could potentially reduce reliance on pop-up consent for certain types of remarketing or customer-segmentation initiatives, particularly where the purpose aligns with security or service-improvement goals. As Mayer Brown explains, organisations still need to document these decisions for audit purposes.
Against this backdrop, marketing leaders are being urged to take immediate compliance steps. The DPO Centre recommends reviewing current consent flows and segmenting databases according to lawful basis — ensuring that CRM, analytics, and messaging tools remain fully aligned with the revised legal framework.
Beyond tactical changes, the DUAA elevates the risk profile of non-compliance. As part of the reform, fines under PECR have been aligned with the UK GDPR — up to £17.5 million or 4% of global turnover. The ICO now has powers to compel attendance for interviews, demand technical reports, and issue penalties more swiftly. As the ICO itself has made clear, the bar for enforcement has been raised.
For CMOs, this makes data governance not just a legal obligation, but a reputational and brand trust imperative. Campaigns that mishandle consent or data access — even unintentionally — now carry greater financial and regulatory consequences.
Internally, marketing teams will need closer alignment with legal, IT, and product departments. For example, those managing customer messaging must integrate protocols that meet the 72-hour breach notice rule for telecoms platforms — one of the new requirements under amended PECR. Similarly, AI-driven tools used for segmentation or personalisation must be able to comply with the DUAA’s revised rules on automated decision-making — including rights to explanation and challenge.
The Government has confirmed that most provisions will be phased in over the next year, with cookie and ADM reforms due by December, and enforcement powers live from August.
As these timelines draw closer, CMOs face a dual challenge: simplifying customer experiences while maintaining clear accountability over how personal data is handled. The DUAA doesn’t eliminate consent — but it does demand a smarter strategy for when and why it’s used.
