Find out what the Data (Use and Access) Act 2025 (DUAA) means for data protection and data use, including key changes affecting complaints, cookies and charity soft opt-ins.
What is DUAA 2025?
DUAA is legislation that updates existing UK data protection rules across several areas, affecting how organisations collect and manage personal data.
Some DUAA changes apply from 19 June 2026, including new expectations around data protection complaints and aspects of website tracking and cookie usage. A separate charitable soft opt-in took effect earlier, on 5 February 2026. You'll find more information about these three areas below.
For full technical guidance, see the ICO guidance on DUAA.
Who does DUAA apply to?
DUAA applies to any organisation that processes personal data. This includes businesses, charities, associations, societies and public sector organisations. If you collect data through your website, email marketing, social media or customer enquiries, you should review how your systems are set up.
What’s changing?
DUAA introduces updates across three areas that are particularly relevant for data controllers, website managers and email marketers:
1. Data protection complaints
Organisations need to make it easy for people to raise concerns about how their personal data is handled and provide a clear process for managing and responding to those complaints. The aim is to ensure complaints are dealt with directly by the organisation, with escalation to the Information Commissioner’s Office (ICO) only where necessary.
This means having a simple route for complaints and making sure they are handled consistently. Possible ways to do this include:
- a contact form on your website
- a dedicated complaints page or online form
- a specific email address for data protection queries
- a telephone or postal contact route
- in person or via live chat
- via social media
Once a complaint is received, organisations should have a process in place to:
- log and record the complaint when it is received
- acknowledge it within 30 days
- investigate the issue appropriately without unnecessary delay
- provide a clear outcome once reviewed
- keep a record of how the complaint was handled
A well-structured website form is often the simplest way to support these obligations under DUAA, ensuring complaints are captured clearly and routed to the right team from the start. At 101, we can help you set up or improve your online forms so they support a clear and consistent complaints process.
2. Charity soft opt-in
As part of DUAA, a new charitable purposes soft opt-in came into effect on 5 February 2026. It allows charities to send email, SMS and other electronic marketing to individuals without prior consent where there is already a connection to the charity’s work.
In practice, this applies where someone has:
- shown interest in a charity’s activities
- offered support or engaged with fundraising or campaigns
- provided their details in a relevant context
Even where this applies, charities must still:
- offer a clear opt-out option
- ensure communications relate to their charitable purpose
- handle personal data appropriately
The change can help charities communicate with people who are already engaged, but it doesn't remove the need for careful data management or existing consent rules in other situations.
If you are unsure if or how the charitable soft opt-in applies to you, we're happy to answer your questions and help you review your approach where needed.
3. Cookies and website tracking
DUAA also introduces updates to how cookies and similar tracking technologies are used on websites, particularly around consent, transparency and certain permitted uses.
You may also wish to update your Cookie Policy to reference your process for handling data protection complaints under DUAA.
For more information, read our overview of DUAA cookies and website tracking changes.
Need help?
If you are unsure what DUAA means for your website, marketing or data processes, we can help review your setup and highlight any changes needed. Get in touch to discuss what would work best for your organisation.
