On June 19, 2025, the UK Data (Use and Access) Act 2025 was enacted, marking the culmination of a lengthy legislative process aimed at reshaping aspects of the country’s data protection regime. First proposed in 2021 as part of a government strategy titled, “Data: a new direction,” the legislation has undergone several rounds of revision since its initial introduction. Its passage reflects the UK’s desire to diverge, in measured ways, from the EU’s approach to data regulation in the post-Brexit landscape.

The Act introduces targeted amendments to the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, with a focus on clarifying lawful data use, adjusting rules for international transfers and modifying the regulation of rules on electronic marketing. While the UK GDPR and its core principles of data protection remain intact, these reforms are intended to reduce burdens on organizations and unlock economic and research opportunities.

Key Changes Under the Act

• Relaxed restrictions on automated decision-making (ADM). Since the GDPR came into force in 2018, UK law has restricted the ability of companies to make significant decisions about individuals based solely on the automated processing of their personal data. The Act relaxes this position, providing that such decisions can in the future be made subject to the implementation of appropriate safeguards, such as a route to contest decisions and obtain human intervention. Moving forward, ADM will be prohibited only when based on the processing of special category data (e.g., health data), and if that decision produces legal or other significant effects for individuals. In practice, these changes open the door for businesses operating in the UK to make wider use of ADM technologies when special category data is not processed, by liberalizing the range of legal bases that can be relied on under the UK GDPR for such processing. The Information Commissioner’s Office (ICO) is expected to publish draft guidance on ADM for consultation in winter 2025 or early 2026.
• Clarifying the scope of the research provisions. The Act clarifies what amounts to processing for the purposes of “scientific research,” “historical research,” and “statistical purposes” by inserting a new definition of those terms into the UK GDPR. The amendments clarify that scientific research can include commercial research, including where such research is privately funded. Examples include processing for technical development or demonstration, and fundamental or applied research, insofar as such activities can reasonably be described as scientific. The ICO is expected to publish draft guidance on these updated research provisions for consultation this autumn.
• Modifications to the purpose limitation principle. The Act clarifies the circumstances in which organizations can lawfully process personal data for new purposes. Where personal data was originally collected based on consent of the data subject, the rules are more restrictive and require either a fresh consent, a strong public interest reason for the new processing, or that the processing otherwise falls within a limited list of “compatible purposes” prescribed by the Act. The rules are more liberal where personal data was originally collected on a legal basis other than consent.
• Recognized “legitimate interests.” The Act sets out a defined list of recognized “legitimate interests” that can be relied on when processing personal data, such as safeguarding vulnerable people or combating criminal activity. When data processing aligns with one of these designated interests, controllers are not obligated to carry out a full balancing test against individuals’ rights and freedoms. Instead, they must determine whether the processing is necessary to achieve the stated aim. The ICO is expected to publish draft guidance for consultation on these new lawful bases in winter 2025 or early 2026.
• Consent no longer required for certain uses of cookies. The Act introduces new exceptions to the general rule under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) that consent must be obtained before placing or reading cookies on a user’s device. Cookies can now be placed without consent where necessary for “statistical purposes” to collect information about how an online service is used. The ICO is expected to publish draft guidance on cookies for consultation in spring and winter this year.
• Children’s protection matters. The Act introduces a new requirement for providers of online services that are likely to be accessed by children. This requires such providers to consider the technical and organizational measures they can put in place to best protect and support children using the services, including children that fall in different age groups and that therefore have different developmental needs. The ICO is expected to produce guidance on safeguarding children in winter 2025 or early 2026.
• An updated Information Commission with enhanced enforcement powers. The Information Commissioner’s Office will be replaced by an Information Commission (IC). The Act grants the IC additional enforcement powers, including to require individuals to attend interviews in the context of investigations, and to impose fines of up to GBP 17.5 million, or up to four percent of global worldwide turnovers, for breaches of PECR (bringing PECR fines in line with the UK GDPR). When exercising its powers, the Act requires the IC to have regard to a list of priorities, including providing special protection to the rights of children. The ICO is expected to publish guidance on changes to their processes in autumn 2025.
• Encouragement of Smart Data schemes. The Act empowers authorities to launch new “Smart Data” initiatives. These initiatives would mandate that relevant companies enable consumers to access their personal data and share it securely with approved third parties. The goal of these provisions is to expand on the success of Open Banking by fostering comparable frameworks in other industries.

Next Steps

The Act has now been passed and will be brought into force in the coming months. The IC will be publishing new and updated guidance to reflect the changes outlined above, while companies will need to reassess and adjust their data handling practices accordingly.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex digital regulation and privacy compliance in the UK and EU. For more information, please contact Nikolaos Theodorakis or Tom Evans.

Claudia Chan contributed to the preparation of this alert.