On February 5, 2026, key reforms to the UK’s data protection regime came into force, effectuating a departure from certain aspects of the EU regime and underscoring an emerging divergence between the UK and EU frameworks. These changes introduce new flexibility in areas such as cookie consent, automated decision-making (ADM) and processing of data for scientific research purposes, while raising the bar for compliance in areas such as the handling of data relating to minors.

Key Reforms

As discussed in our earlier update, the reforms have been brought about through the enactment of the Data (Use and Access) Act 2025 (the Act). Key changes include the following:

• Recalibrated rules on cookies, with tougher potential penalties for noncompliance. The Act introduces new exceptions to the general rule under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) that consent must be obtained before placing or reading cookies on a user’s device. Cookies can now be placed without consent where necessary for limited “statistical purposes,” or to adapt the appearance and functions of a service in line with the user’s preferences. The Information Commissioner’s Office (ICO) published updated draft guidance reflecting these changes in July 2025. The ICO’s powers of enforcement in relation to PECR have also been revised, with the regulator now able to impose fines of up to GBP 17.5 million, or up to four percent of global worldwide turnover for breaches.
• Enhanced ICO enforcement powers. The Act introduces new abilities for the ICO to require reports from controllers, and to compel individuals to attend an interview if they work, or have previously worked, for an organization subject to the UK General Data Protection Regulation (GDPR). The ICO has recently consulted on guidance relating to process when carrying out investigations and enforcement. At a later date, the ICO will be replaced by an Information Commission.
• Children’s protection matters. The Act introduces a new requirement for providers of online services that are likely to be accessed by children. This requires such providers to consider the technical and organizational measures they can put in place to best protect and support children using the services, including children that fall in different age groups and that therefore have different developmental needs. Providers of online services that are within scope of this requirement will need to be able to evidence the steps they’ve taken to comply. The ICO has published an update to its data protection by design and default guidance to reflect the introduction of this new requirement.
• Clarifying that controllers can “stop the clock” when seeking clarification of data subject requests (DSAR). The ICO has stated for some time in guidance that it is legitimate for controllers to “stop the clock” when seeking clarification of data subject access requests, effectively extending the one-month response period. The Act puts this on a statutory footing and clarifies that it is reasonable to require further information where a controller “processes a large amount of information” about the requestor. The Act also clarifies that controllers only need to carry out a “reasonable search” for information in response to a data subject access request. These modifications may provide controllers with additional reassurance when resisting over-broad or otherwise complex data subject requests.
• Relaxed restrictions on ADM. Since the GDPR came into force in 2018, UK law has restricted the ability of companies to make significant decisions about individuals based solely on the automated processing of their personal data. This has now changed, and organizations may carry out such decisions if they implement appropriate safeguards, such as a route to contest decisions and obtain human intervention. ADM based on the processing of special category data (e.g., health data) continues to be subject to more robust legal conditions. In practice, these changes open the door for businesses operating in the UK to make wider use of ADM technologies when special category data is not processed, by liberalizing the range of legal bases that can be relied on under the UK GDPR for such processing. The ICO is expected to publish draft guidance on ADM for consultation in early 2026.
• Clarifying the scope of the research provisions. The Act clarifies what amounts to processing for the purposes of “scientific research,” “historical research,” and “statistical purposes” by inserting a new definition of those terms into the UK GDPR. The amendments clarify that scientific research can include commercial research, including where such research is privately funded. Examples include processing for technical development or demonstration, and fundamental or applied research, insofar as such activities can reasonably be described as scientific. The ICO is expected to publish draft guidance on these updated research provisions for consultation this month.
• Recognized “legitimate interests.” The Act sets out a defined list of recognized “legitimate interests” that can be relied on when processing personal data, such as safeguarding vulnerable people or combating criminal activity. When data processing aligns with one of these designated interests, controllers are not obligated to carry out a full balancing test against individuals’ rights and freedoms. Instead, they must determine whether the processing is necessary to achieve the stated aim. The ICO is currently redrafting its draft guidance after consultation which closed in October 2025. A final version of the guidance is expected early this year.

Next Steps

Against this backdrop, organizations may wish to take stock of their existing compliance frameworks to assess whether targeted adjustments could be made to reflect, and potentially benefit from, the revised rules. The ICO has stated that it will continue to draft, consult on, and make public new guidance to reflect these changes.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex digital regulation and privacy compliance in the UK and EU. For more information, please contact Nikolaos Theodorakis, Tom Evans, or another member of the firm’s Data, Privacy, and Cybersecurity practice.

Claudia Chan and Michaela Novakova contributed to the preparation of this alert.