Lace Up: The Race to implement the Data (Use and Access) Bill is About to Begin

Time to get your data protection running shoes on and stretch out those regulatory hamstrings—because one of the most important pieces of data legislation since UK GDPR is about to become law. The Data (Use and Access) Bill is nearing Royal Assent and changes will come into force thick and fast—think months, not years. It will significantly reshape the UK’s data framework, with particular relevance for marketers, fundraisers, and data professionals.

The Bill is currently in the oddly-named 'ping-pong' stage of the legislative process. Usually, this refers to the quick back-and-forth that occurs between the Houses of Commons and Lords to put final tweaks on a Bill before the Monarch signs it into law.

However, this time, ping-pong is a bit more ferocious, as furious debate about the protection of artists' work from copyright breaches by artificial intelligence. The Lords, via an amendment by Baroness Kidron, argue not enough is being done. The Government says the cat is already out the bag and we have to deal with a new legal landscape.

So far, the Bill has gone between the Commons and the Lords several times over the past ten days, with various versions of Baroness Kidron's amendment being passed by the Lords and rejected by the Commons.

It looks like the government is unwilling to make meaningful compromise on Baroness Kidron's amendment. Yesterday, acknowledging the futility of the back-and-forth and the potential for the Bill to be collapsed if it continued, Baroness Kidron said she would accept whatever decision the government made next.

In all likellihood, then, the Bill will reach its final form - the rest of the Bill is ready to go - after the Common's vote today and be approved by the Lords early next week.

Many of the important changes in the Bill are there because of the DMA and our members’ direct involvement. Across two governments, the DMA has worked closely with Ministers, departmental officials, and Parliamentarians to shape the Bill in a way that supports responsible data-driven growth. The DMA’s Director of Policy and Compliance, Chris Combemale, chaired the Secretary of State’s Business Advisory Group; DMA-hosted roundtables enabled members to speak directly with government; and several Lords actively championed DMA-proposed amendments, referencing them in debate. These key changes—driven by input from DMA members—reflect our longstanding aim to balance innovation with privacy, fuelled by the customer-first principles in the DMA Code.

Greater Certainty on the Use of Legitimate Interests

The most important reform to DMA members is the greater certainty around the use of Legitimate Interests as a lawful basis. Article 6.1(f) has been amended to include specific examples—drawn from Recitals 47, 48 and 49 of UK GDPR—that list direct marketing, intra-group administrative transfers, and network security as activities that may rely on Legitimate Interests. This improves clarity in the main legislative text and aligns with recent case law, including the Experian ruling, which confirmed the need for proportionality and recognition of the benefits of direct marketing. The DMA strongly supported this amendment, which helps remove confusion caused by overly cautious legal interpretations since UK GDPR was implemented. Research shows 79% of businesses would be more likely to use this lawful basis if clearer guidance was available. This change supports growth while maintaining individuals’ unfettered right to object to marketing at any time.

Soft Opt-In Extended to Charities

This is a critical amendment for charity members and restores a soft opt-in for email and SMS communications where supporters have provided their details in the course of expressing interest or providing support. It aligns charity communications with the exemption that has existed since 2003 for commercial organisations. The change was reintroduced at Lords Report stage following a DMA intervention, supported by statements from 22 charities and a letter to Secretary of State Kevin Hollinrake. Analysis by the Salocin Group and Wood for the Trees found that enabling email contact could increase annual charitable donations by up to £290 million across the UK. With clear opt-out options still required at the point of data capture, this reform offers charities a powerful tool to better engage supporters and grow income responsibly.

Cookies Reform: Simpler Consent, Fewer Banners

Both governments shared a commitment to reducing interruptive and ineffective cookie consent banners. While DUA doesn’t eliminate consent requirements entirely, it introduces specific exemptions that bring meaningful change. Cookies used for strictly necessary purposes, internal statistical analysis, improving functionality, security updates, or emergency assistance will no longer require consent. These exemptions particularly benefit websites without advertising—such as B2B services, ecommerce platforms, and charities—who may now be exempt from banners altogether. Even where consent is still needed, banners will be simpler, easier to manage, and offer fewer confusing choices. This improves user experience and reduces operational costs.

Enabling Beneficial AI and Automated Decision-Making

Amendments to Article 22 clarify that automated decision-making may continue where it is beneficial and low risk. The strongest restrictions are limited to cases involving special category data. Significant decisions based solely on automated processing will now be permitted if individuals are informed about the decision, can make representations, and can obtain human review or contest the outcome. This ensures that marketing and customer insight activities—such as product recommendations or segmentation—can continue under fair safeguards. “Solely automated decision-making” and “significant effects” are now defined with the same meaning as in the DPA 2018, providing continuity and clarity.

Unified Codes of Conduct for UK GDPR and PECR

The DMA has worked with the ICO for several years on a Direct Marketing Code of Conduct. Previously, ICO lawyers determined that UK GDPR could not cover PECR issues within a single document, but the DUA changes that. The Bill enables Codes of Conduct under PECR to be incorporated into the same document as those under UK GDPR. This allows for collaborative, sector-specific regulation backed by an independent monitoring body—the Data and Marketing Commission—which will adjudicate on complaints about Code Signatories. This reform ensures that the Code can cover the full spectrum of marketing activities, from segmentation to email delivery, enhancing both consumer protection and business clarity.

ICO Modernisation

The structure and remit of the Information Commissioner’s Office will be modernised under the Bill. The ICO will transition from a corporation sole to a corporate body known as the Information Commission, overseen by a Chair and non-executive board. Crucially, the ICO will now be required to consider the public interest in promoting innovation and competition alongside privacy and data protection. This aligns with Recital 4 of UK GDPR and the principles of the DMA Code. It is intended to support more balanced decision-making and a better understanding of the real-world implications of data regulation.

Boosting Research and Innovation

The Bill expands the definition of scientific research to explicitly include commercial activity. This means that market research, product development, and technological innovation—whether privately or publicly funded—can now benefit from the same legal privileges as academic research. The reforms also apply to processing for statistical purposes where the resulting information is anonymised and not used to make decisions about individuals. This provides legal certainty and reduces compliance burdens for research-led businesses. It’s a positive step for driving UK innovation and growth.

PECR Enforcement Aligned with UK GDPR

The maximum penalties for breaches of PECR—covering nuisance calls, emails and texts—will now be brought in line with UK GDPR: up to £17.5 million or 4% of global turnover. This is a significant increase from the previous cap of £500,000. It aligns enforcement across the two frameworks and sends a clear signal that poor practices will be met with serious consequences. Ethical, compliant marketers will benefit from a more level playing field and greater public trust.

Direct Marketing Legally Defined Across All Laws

The legal definition of direct marketing from DPA 2018—“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”—has now been added into the text of both UK GDPR and PECR. This creates legal clarity and consistency across the key data protection frameworks. It ensures all parties—regulators, businesses, and the public—are working from a shared understanding of what direct marketing entails. This will reduce compliance uncertainty and support better regulatory outcomes.

EU Data Adequacy Preserved

The Bill has been drafted to maintain full consistency with core EU data protection principles and European Court of Justice rulings. This is essential for preserving the UK’s adequacy status, which enables the free flow of personal data from the EU to the UK. DMA members consistently identified this as the most critical risk of any UK data reform. The government’s approach reflects legal clarity and alignment with risk-based, proportionate interpretation—helping ensure UK organisations remain competitive in global markets.

.

On your marks, get set…

As the voice of the Data and Marketing Industry, the DMA will be providing updated guidance, resources and training opportunities to help members prepare for the incoming changes. As the new rules come into force, our policy and compliance teams are on hand to assist with interpretation and implementation. Whether you need strategic advice or practical tools, we’re here to help you prepare—so you’re not just ready to run the race, but to lead it.

.

Upcoming Webinar: How to Maximise Email Marketing for Charities in the Soft Opt-In Era

The introduction of the soft opt-in for the charity sector unlocks a significant opportunity. The ability to engage more supporters, build stronger relationships, and unlock an estimated £290 million in additional annual fundraising.

How can charities make the most of this change while ensuring full compliance?

Join the DMA and Wood for Trees, part of the Salocin Group, on 9 July for a practical, insight-driven webinar that explores:

• Understanding the soft opt-in: What it means, how it differs from consent, and how to apply it effectively.
• Navigating compliance: Creating consent mechanisms that align with evolving regulations.
• Building a strong data foundation: Optimising supporter data for compliant, impactful email marketing.
• Crafting high-performing email strategies: Creating personalised, data-led journeys that drive long-term supporter engagement.

Book your spot to discover how to turn this regulatory change into fundraising growth.