Resources

How to Prepare for the Data (Use & Access) Act 2025

Between June 2025 and June 2026, the government will implement the Data (Use & Access) Act (DUAA) to promote innovation and economic growth nationwide. 

The DUAA makes several updates to data protection law, of which the ICO says ‘make things easier for organisations, while [protecting] people and their rights’. But with changes comes uncertainty, leaving businesses and data protection experts alike wondering how they can prepare themselves.

In this blog, we cover your next steps and the opportunities available to simplify data protection compliance. 

To Prepare for the DUAA, You Should:

• Familiarise Yourself with the Changes
• Implement a Complaints Procedure
• Meet New Requirements for Children’s Online Services
• Update Your DSAR Response Procedure
• Update Cookie Consent
• Review Use of Automation
• Organise Data Protection Training

1. Familiarise Yourself with the Changes

The Data (Use & Access) Act is as technical a read as the UK GDPR, PECR and Data Protection Act (DPA). Your Data Protection Officer (DPO) or the people responsible for managing compliance will need to spend time assessing the changes the DUAA makes to data protection law. 

In our podcast, Data Protection Made Simple, we break the DUAA down into simple terms and provide practical tips for staying compliant with the law. Listen in now:

• Part 1: The Data (Use and Access) Act 2025
• Part 2: The Data (Use and Access) Act: What’s Next for UK Organisations?

If you need more support, our data protection consultancy can help run through which changes impact your business the most. 

2. Implement a Complaints Procedure

Under the DUA Act, data subjects now have the right to complain directly to a data controller if they believe their personal data is being processed unlawfully. Initially dealt with by the ICO, controllers now must have a formal complaints process for handling data protection concerns.  

Your complaints procedure should include:

• Clear instructions on how and where to file complaints
• An easily accessible form for individuals to submit complaints
• The steps you’ll take to resolve and respond* to complaints
• How you will keep individuals informed of outcomes 
• Appointed staff members trained in handling complaints

*Responses must be within 30 days of receiving the complaint.

3. Meet New Requirements for Children’s Online Services

One in five UK internet users is a child, so there’s every chance your online service may be used by an age group you never designed for. The DUAA expects you to prioritise the best interests of a child when designing and developing online services, ensuring they are protected in the digital age.

This applies to a variety of services, including apps, websites and connected toys. If you meet the existing Age Appropriate Design Code (AADC), you will have already satisfied this new requirement. 

4. Update Your DSAR Response Procedure   

The DUAA is expected to make subject access request (SAR or DSAR) handling and response easier; therefore, your internal procedure should now provide this flexibility. 

Your procedure should make clear: 

• Your refined search scope – You should only make ‘reasonable and proportionate searches’ when fulfilling a subject access request. 
• Stop the clock provision – Guidance on how your staff can pause the one-month deadline for responding to DSARs if they’re waiting for identity verification or further clarification of scope.

5. Update Cookie Consent 

Under the DUA Act, consent is no longer required where cookies or similar technologies fall within low-risk processing. These exempted purposes include:

• Statistical/analytics purposes to improve services
• System security and fraud detection
• Improving website functionality or tailoring the website to user preferences

You must assess whether your website’s analytics or functional cookies qualify for this exemption, considering whether they are strictly necessary and low risk. With this in mind, you’ll need to update cookie consent banners, policies and internal documentation to reflect the change in consent. 

For charities, you will also have to implement a clear opt-out option for direct marketing sent based on the soft opt-in rule. 

6. Review Use of Automation 

One way the DUAA is promoting innovation is through its new provisions (Articles 22A-22D of the UK GDPR) governing automated decision-making (ADM). 

To welcome this innovation, make sure you:

• Include the new provisions under Articles 22A-22D in any data protection impact assessments (DPIAs) covering ADM
• Confirm the legal basis when special category data is required 
• Add transparency statements and human review protocols where ADAM affect individuals significantly 

7. Organise Data Protection Training 

You may know what to do, but how you need to do it might not be as clear. Now is the perfect time to schedule some refresher data protection training to ensure everyone is up to speed. 

As a training provider, we can support your business with training tailored to your sector and processing requirements. All courses are up to date with the DUA Act, so your team will receive the latest insights on maintaining compliance. 

How Does the DUA Act Help Your Business?

• Research provisions: The Act clarifies when personal data can be used for scientific research (including commercial) and permits ‘broad consent’ for such purposes.
• Automated decision-making: It broadens the ‘lawful bases’ that can be relied upon for significant automated decisions using personal data, potentially including ‘legitimate interests’, provided suitable safeguards are in place.
• Cookie rules: The DUAA permits the use of certain types of cookies, such as those employed for statistical analysis or enhancing website functionality, without requiring explicit consent.
• New ‘recognised legitimate interests’: For specific ‘recognised legitimate interests’ (e.g., public security), businesses no longer need to balance the impact on individuals against the benefits of data use.
• ‘Soft opt-in’ for charities: Charities can send electronic marketing to individuals who’ve supported or shown interest in their work, unless they object.
• Subject access requests (SARs): The Act clarifies that only ‘reasonable and proportionate’ searches are required when responding to SARs.
• Improved clarity: The legislation’s wording and structure have been refined to facilitate easier understanding and application.

Need Help? Contact Our Data Protection Consultants Today

As a GDPR consultancy, our goal is to make data protection easy to understand and easy to do. If you need expert support navigating the DUAA, please contact our team, and we’ll be in touch. 

How the Data (Use and Access) Act Is Changing Data Protection Law

The Data (Use and Access) Bill was first introduced in October 2024 to replace its failed predecessor, the Data Protection and Digital Information (DPDI) Bill. 

On June 19th, 2025, this bill became an Act of Parliament. Now known as the Data (Use and Access) Act (DUAA), this Act is one of the most significant changes to the UK data protection law since the GDPR. 

In this article, we examine the key provisions in the Act that will impact the UK GDPR, DPA and PECR legislation. 

Does the DUAA Impact Any Data Protection Laws? 

Yes – the Data (Use and Access) Act (2025) makes changes to the following UK data protection laws:

• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018 (DPA 2018)
• The Privacy and Electronic Communications Regulations 2003 (PECR 2003)  

The DUAA does not replace any laws; it only amends and introduces new provisions. 

What Changes Has the DUA Act Made to the UK GDPR & DPA 2018?

The Data (Use and Access) Act has made changes in the following areas:

• Automated Decision-Making
• Data Subject Access Requests
• Children’s Data Protection Obligations
• Scientific Research
• Legitimate Interests
• International Data Transfers
• New Complaints Procedure
• Reforms to the ICO

1. Automated Decision-Making (ADM)

Prior to the DUAA, Article 22 of the UK GDPR restricted automated decision-making unless it was done with the individual’s consent, permitted by UK law, or necessary for a contract between an individual and a business.

The DUAA replaces this Article with Articles 22A-22D, which allow for greater flexibility in using ADM, provided that the necessary safeguards are in place. These include:

• Providing the individual whose personal data was used for ADM with complete transparency about the decision
• Offering human intervention if requested by the individual
• Enabling the individual to contest the decision
• Allowing the individual to make representations 

Restrictions are only in place when using special category data (e.g., race, health, or biometric data), reinstating what was required pre-DUAA. Organisations can only use this data for ADM if they have consent, or where necessary for substantial public interest. 

2. Data Subject Requests (DSARs)

The DUAA now provides further transparency of a business’s obligations when handling DSARs (also known as SARs). 

Previously, businesses had one month to respond to a subject access request as soon as it was received. The DUAA introduces a “stop the clock” provision, which allows organisations to pause the response time until they have enough information from the individual to clarify the request. 

Once they have the relevant information, the one-month response time continues. 

Previously, the law did not explicitly state that responding to DSARs had to be “reasonable and proportionate” (i.e., not requiring undue effort to complete the search). The DUAA clarifies what constitutes disproportionate effort, offering more flexibility to DPOs managing complex or voluminous requests. 

3. Controller Obligations –  Children’s Data Protection 

Section 81 of the DUAA introduces an explicit duty of care for providers of online services accessed by children. These controllers must take into account the “children’s higher protection matters” (Article 25(1B)) when designing services for children. 

When choosing the appropriate technical and organisational measures, controllers must consider:

• How best can they support and protect children using their services
• How children may be less aware of the risks and consequences of personal data processing
• How children have unique needs at different ages and stages of development

4. Scientific Research

The DUAA introduces the concept of ‘broad consent’, previously outlined in the UK GDPR recitals, into the main text of the legislation. 

This measure allows researchers to rely on broad consent, whereby individuals consent to their information being used for an “area of scientific research” rather than a more specific purpose. Gaining broad consent is contingent upon meeting the ethical standards relevant to the area of research. 

5. Legitimate Interests

There is now a list of recognised legitimate interests under Article 6(1)(f) of the UK GDPR, which includes:

• National security, public safety and defence
• Emergency response
• Safeguarding of vulnerable individuals
• Crime prevention 
• Disclosure of data in the public interest 

When data processing is based on any of these interests, no balancing test is required. This test, also known as a legitimate interests assessment, balances the controller’s interests against the individual’s rights and freedoms to ensure processing is fair. 

Removing the balancing test recognises the ‘societal value of the processing in specified situations and the potential negative impacts of any delay.’ 

6. International Data Transfers

Under the DUAA, international data transfers are permitted if the receiving country has data protection standards that are similar (not materially lower) to those of the UK. This replaces the EU-style adequacy framework, making it easier to approve data transfers to a wider range of countries. 

Rather than being ‘essentially equivalent’ and now ‘materially lower’, the UK has more flexibility to transfer data outside of the EU’s stricter standards. 

7. New Complaints Procedure 

Data subjects now have the right to complain to a data controller if they’re concerned that the way their information is processed breaches data protection law.

While individuals have always had the right to complain, the DUAA now places the burden for acting on that complaint with the controller, rather than the ICO. 

In response to this, controllers must implement a clear response procedure, whereby all complaints are acknowledged within 30 days of receipt. Controllers are also required to respond without undue delay and inform the individual of the outcome. 

For more insight, read our recent blog on this new complaints provision to find out how you can prepare.  

8. Reforms to the ICO

Currently, all powers and responsibilities are held by one individual, the Information Commissioner. The DUAA will replace the ICO with the Information Commission, which will be led by a chair and a chief executive, with other non-executive and executive members also in place.   

This significant institutional change will promote diversity in decision-making by sharing across the board, rather than a sole decision-maker.

The Information Commissioner will have additional duties to consider, which you can learn about on GOV.UK’s ICO factsheet.  

How Has the DUA Act Changed the PECR?

1. Time Period to Report Breach

The Data (Use and Access) Act now requires communication providers to report personal data breaches to the ICO ‘without undue delay’ and no later than 72 hours of becoming aware.

The PECR currently requires businesses to report breaches within 24 hours, so the new time period (72 hours) is in line with the reporting period under the UK GDPR. 

2. Non-Compliance Fines

The DUAA aligns the maximum fines for PECR breaches with the UK GDPR, increasing them to £17.5 million or 4% of a company’s global annual turnover, whichever is greater.

With the original fine at £500,000, this increase places significant responsibility on businesses to strengthen PECR compliance. 

3. Soft Opt-In Rule for Charities

Charities can send marketing emails and texts to individuals who have expressed interest or offered support to the charity. This is known as the ‘soft opt-in rule’, which allows charities to send electronic marketing without needing explicit consent.  

Individuals must be able to opt out at any time, whether it’s at the first instance or later down the line. This means charities can continue to send communications to an individual until they explicitly opt out.

4. Cookie Compliance Exemptions 

While the PECR required consent for all but ‘strictly necessary’ cookies, the DUAA introduces new exemptions for specific ‘low-risk’ scenarios, provided that clear information and an opt-out option are offered to users.

Under the new rules, consent is no longer required for the use of cookies for the following purposes:

• Statistical analysis for service improvement (e.g., website analytics).
• Website functionality and improvement, such as adapting a website to a user’s preferences.
• Security and fraud prevention.

When Will the DUAA Changes Take Effect? 

Changes to data protection law will come into force two to twelve months after Royal Assent (June 2025). GOV.UK will announce further details of the regulations and the exact dates when each measure will commence. 

Want to Learn More? Subscribe to Our Podcast

Our podcast, Data Protection Made Easy, is your go-to hub for the latest news and changes in data protection law. Recently, our team hosted two live sessions discussing the DUA Act and how businesses can prepare going forward. 

Catch up and listen to:

• Part 1: The Data (Use and Access) Act 2025
• Part 2: The Data (Use and Access) Act: What’s Next for UK Organisations?

Our award-winning podcast is available on Spotify, Amazon Music and many other podcast sites. Subscribe now to avoid missing out. 

Speak to Our Data Protection Consultants Today

Our data protection consultancy can help you prepare for all the changes in the DUAA. Whether it’s setting up a complaints procedure or updating cookie consent, we’re here to guide you through. 

Need support? Get in touch with our team today. 

Could VPNs Be Banned in the UK?

Could VPNs Be Banned in the UK? What the Age Verification Backlash Tells Us About Privacy, Policy, and the Future of the Internet

The UK’s new age verification laws under the Online Safety Act 2023 have sparked public outcry, technical workarounds, and a five-fold spike in VPN downloads across the country. But now, the government is “looking very closely” at VPN usage, raising raising questions about whether these tools could face greater scrutiny or possible restrictions in the future.

For data protection professionals, this moment is about more than bypassing adult content filters. It reflects growing tension between safety-driven regulation and privacy-preserving technologies, and how this tension could shape the UK’s online freedoms over the coming years.

What’s Happening?

On 25 July 2025, new rules came into force requiring all websites hosting 18+ or potentially harmful content to implement robust age verification checks. Ticking a box is no longer enough. Sites must now verify identity through biometric scanning, government-issued IDs, or trusted third-party systems.

The result? Tens of thousands of users turned to virtual private networks (VPNs) to bypass the checks altogether. VPN services like Proton and AdGuard reported usage spikes of over 1,000%, and VPN-related search traffic skyrocketed.

In response, UK Science Secretary Peter Kyle confirmed that while VPNs are not currently under threat, the government will be monitoring their usage “very closely.”

Why Are People Turning to VPNs?

VPNs (Virtual Private Networks) allow users to change their visible location and encrypt their internet traffic. They’re often used to access geo-blocked content or browse the web more privately.

In this case, many UK users are using VPNs to appear as though they are based outside the UK, bypassing sites’ legal obligations to run age checks.

For some, this is about convenience (or avoiding inconvenience). For others, it reflects deeper concerns about data protection risks such as the potential over-collection of personal data, and broader privacy concerns about surveillance and government overreach.

Are VPNs at Risk of Being Banned in the UK?

As of now, VPNs remain legal in the UK. There is no formal proposal to ban or restrict them. Ministers have, however, noted their increased use following the Online Safety Act, particularly where this undermines compliance measures.

While an outright ban appears politically and technically unlikely, policymakers could explore measures such as VPN-detection obligations or other technical interventions if they believe circumvention is materially affecting enforcement.

From a policy perspective, VPN usage in this context creates a loophole that undermines enforcement.

The surge in VPN adoption also reflects a wider public preference for tools that reduce personal data disclosure and increase control over online identity.

A Bigger Question: Is This About Safety or Surveillance?

For the government, age verification is about child safety, a widely supported goal.

But for data protection professionals, the implementation methods, especially the use of facial recognition, ID scanning, and mandatory identity checks just to access online content raises significant concerns:

• Necessity and proportionality under Article 5 (1) (c) UK GDPR
• Purpose limitation (ensuring data is not repurposed beyond age verification
• Security and retention safeguards to prevent misuse or breach

This is where VPNs become symbolic. They are not just tools for dodging rules. They represent resistance to what some users see as an increasingly monitored and censored internet.

If public trust in online regulation continues to erode, the use of VPNs, encrypted browsers, and other privacy-enhancing technologies (PETs) is only likely to grow.

What Does This Mean for Data Protection Professionals?

The age verification surge, and the reaction to it, is a live case study in consent, proportionality, and transparency, three of the core principles under the UK GDPR.

Here’s what DPOs and privacy teams should be considering:

1. Review DPIAs for Age Verification Systems
Ensure assessments for age verification systems are comprehensive, address biometric and ID processing risks, and consider less intrusive alternatives.

2. Understand the Role of VPNs in Bypassing Compliance
While bypassing geo-controls is legal, it can complicate enforcement. If your organisation operates globally, review how your systems handle users accessing content through VPNs.

3. Stay Informed About Potential Regulation
The fact that the UK government is publicly acknowledging VPN usage suggests that future policy responses may involve restrictions, monitoring obligations, or technical standards.

FAQs: VPNs, Data Protection and the Online Safety Act

Is it illegal to use a VPN to bypass age checks?
No, VPN use is lawful in the UK. However, platforms still have a legal duty to prevent underage access, and individuals bypassing that protection raise compliance questions for the platform.

Could the UK government ban VPNs in the future?
There are no current plans to ban VPNs, and such a move would be controversial. But targeted restrictions or obligations for platforms to detect VPN use may emerge.

Are VPNs a data protection risk?
Not all VPNs are created equal. Free VPNs often log user activity or sell data. Trusted, paid VPN providers generally apply stronger safeguards.

Does using a VPN guarantee anonymity?
No. VPNs improve privacy by encrypting traffic and masking location but it does not make users anonymous. Additional tools (like encrypted browsers) are needed for that.

Should my organisation block VPN users?
It depends on your risk profile and legal obligations. Blocking VPNs can create usability issues and false positives. Any such approach should be risk-based and compliant with data protection principles. Work with your legal and IT teams to assess the impact.

Horizon Scanning: What’s Next?

We are entering a new phase of tension between safety legislation and data protection considerations . As government measures become more prescriptive, public demand for privacy may lead to increased use of:

• VPNs
• Decentralised platforms
• Anonymous browsers like Tor
• Self-hosted or federated services

These shifts are as much cultural as technical, reflecting public concerns about personal data handling and the desire for greater online autonomy.

Data Protection People’s View

At Data Protection People, we believe data protection and safety should not be treated as trade-offs. Both are essential. The current wave of VPN usage tells us that the public is concerned about how their personal data is being handled, and that concerns around surveillance are very real.

Organisations and regulators should prioritise proportionality, transparency, and fairness in online safety measures, ensuring that personal data is processed lawfully, securely, and only to the extent strictly necessary to achieve legitimate aims.

Need Help Navigating Compliance and Public Sentiment?

Whether you’re implementing age verification, assessing vendor risks, or preparing for scrutiny around online access and privacy, we can help.

UK Age Verification for 18+ Content

What Does Age Verification for 18+ Content Mean for Data Protection in the UK? 

The UK is introducing mandatory age verification for accessing 18+ online content, including pornography, gambling and other age-restricted services. This change is designed to protect children, but it raises important questions for the data protection community. Are these measures safeguarding users or creating new risks? And how do organisations strike a balance between compliance and privacy? 

What Is Age Verification and Why Is It Being Introduced? 

Age verification is the process of confirming that a user is over a certain age threshold, usually 18, before granting access to restricted online content. The UK Government has committed to rolling this out in response to long-standing concerns about children accessing harmful material online. 

Under the Online Safety Act 2023, platforms hosting 18+ content are now required to introduce robust age checks. This could involve ID scans, credit card verification, or even biometric facial recognition technology. 

Is This a Win for Online Safety or a Risk to Privacy? 

The move aims to protect vulnerable users, particularly children. But to verify age, websites must process more personal data and often very sensitive data. This creates tension between protection and privacy. 

Positive Intentions

• Protecting Children: Preventing underage users from accessing harmful content is widely supported by parents, educators and regulators. 
• Holding Platforms Accountable: The burden is shifting to providers, encouraging better content moderation and accountability. 
• Legal Clarity: New obligations provide a clearer legal framework for platforms, including pornographic and gambling websites. 

Potential Risks

• Data Minimisation Concerns: Does proving someone is 18 really require full identity data, or could a tokenised, privacy-preserving method be used? 
• Scope Creep: Once age data is collected, what stops platforms from storing or using it for other purposes? 
• Increased Attack Surface: The more sensitive data stored, the higher the risk of breaches. Facial recognition and ID scans are high-value targets. 
• Lack of Transparency: Users may not understand how their ID or biometric data is used, stored, or shared. 

What Technologies Are Being Used? 

Age verification is no longer just about ticking a box. Technology providers are introducing advanced tools to meet the UK’s requirements, including: 

• Biometric Facial Estimation: AI determines your likely age based on a selfie 
• Document Verification: Scanning a passport or driver’s licence 
• Credit Card Verification: Confirming age based on payment card data 
• Third-Party Age Assurance Providers: Trusted intermediaries that verify age without sharing the full identity 

All of these involve processing personal data. Some even involve special category data, which demands greater safeguards under UK GDPR. 

Data Protection Considerations for Organisations 

If your organisation is involved in publishing or enabling access to age-restricted content, there are immediate steps to take. 

1. Conduct a Data Protection Impact Assessment (DPIA)
Any use of biometric or ID verification requires a DPIA. These technologies pose high risks to individual rights and freedoms and are likely to trigger Article 35 obligations under the UK GDPR. 

2. Follow the Principles of Data Minimisation
Collect only what is necessary. If proof of age can be confirmed without identity, that’s preferable. Avoid systems that retain ID data longer than needed. 

3. Use Trusted Verification Providers
Work with accredited Age Check Certification Scheme (ACCS) providers or other UK-recognised vendors who are independently audited and transparent. 

4. Be Transparent with Users
Make it clear what data is being collected, how it is processed, and whether it is shared. This includes publishing clear privacy notices and cookie policies. 

FAQs: Age Verification & Data Protection 

Is age verification required by law in the UK?
Yes. The Online Safety Act 2023 requires platforms hosting 18+ content to implement proportionate and effective age checks. 

Do age verification systems fall under UK GDPR?
Yes. Any system that processes personal data—including biometric data or ID scans—must comply with UK GDPR requirements. 

What’s the safest way to verify age?
Using third-party age assurance providers that issue verification tokens without exposing full identity data is currently considered best practice. 

Can users opt out?
If access to the content is restricted by law, users cannot opt out of the age verification process. However, transparency and consent in how data is processed still apply. 

Who enforces this?
Ofcom is the lead regulator under the Online Safety Act. The ICO oversees compliance with data protection laws related to these technologies. 

The Balance Between Safety and Privacy 

For many, this change is a positive step towards safeguarding young people online. But it also signals a broader shift: privacy and safety are no longer separate priorities, they must coexist. 

The risk is that platforms, in their rush to comply, adopt intrusive systems without fully understanding the data protection consequences. Age verification should not become identity verification by default. 

The challenge now is to build trust through transparency, minimise data wherever possible, and ensure that age checks are done securely, proportionately, and fairly. 

What Should Data Protection Officers Be Doing Now? 

• Monitor developments and Ofcom guidance under the Online Safety Act 
• Review any services or platforms your organisation operates that may fall under age-restriction obligations 
• Speak to IT and procurement teams to vet any third-party age verification providers 
• Consider providing staff training on biometric data, DPIAs and user transparency 

Our View at Data Protection People 

We believe data protection and child safety can go hand in hand, but only if implemented carefully. Mandating age verification should not open the door to excessive data harvesting or surveillance. 

At Data Protection People, we support clients through this changing landscape, helping them stay compliant without compromising their users’ privacy. Our consultants can help you assess risks, write DPIAs, review third-party tools and update privacy documentation. 

If your organisation is implementing or reviewing age verification systems, we’re here to support you. 

Need Help Navigating Age Verification Compliance? 

We offer consultancy and audits that help organisations align with both the Online Safety Act and UK GDPR.