Data Use and Access Act: 10 things marketers need to know

As the dust settles on the most significant data reform since GDPR, the UK’s Data Use and Access Act (DUAA) 2025 is set to reshape the way marketers work. After months of parliamentary debate and expert input, including figures such as Information Commissioner John Edwards and Baroness Kidron, the Act has received Royal Assent.

The government estimates the DUAA could unlock up to £10 billion in economic growth by making it easier for businesses to innovate and use data responsibly. The Act has and will be a key part of CIM's ongoing public affairs activity, allowing us to advise and support our members. As the DUAA ushers in a new era for data-driven marketing, it brings both fresh opportunities and new responsibilities. We have been tracking the DUAA Bill to update our members on its impact on marketing activities as part of our public affairs service. 

Key updates from the Data Use and Access Act 

Below, we break down the ten key changes and what they mean for your marketing strategy, with practical examples to help you prepare. 

1. Clarified use of personal data for research

The DUAA introduces clearer guidelines for using personal data in research. Marketers can now obtain ‘broad consent’ from individuals for areas of scientific research, reducing the administrative burden in some cases. Privacy notices may not be required for every research activity, streamlining compliance and enabling more agile campaign development.

2. Relaxed automated decision-making restrictions

Automated decision-making is a cornerstone of modern marketing, from personalised recommendations to real-time bidding. The Act relaxes previous restrictions, allowing greater use of automation—provided robust safeguards are in place. However, special category data remains tightly protected, so marketers must tread carefully when handling sensitive information.

3. Updated cookie consent requirement

Cookie management has long been a pain point for marketers. The DUAA clarifies when cookies can be used without explicit consent, particularly for statistical purposes. This change could simplify user journeys and improve data collection for performance analysis, helping marketers optimise campaigns and drive organisational growth.

4. Email marketing changes for some sectors

Charities stand to benefit from new provisions that, in certain circumstances, allow electronic marketing emails to be sent without prior consent. This opens up new avenues for engagement and fundraising, enabling charities to maximise their reach and impact.

5. Data protection complaints procedures

A formal data protection complaints procedure is now mandatory. Organisations must acknowledge complaints within 30 days and respond ‘without undue delay’. For marketing teams, this means reviewing internal processes and ensuring swift, transparent communication with data subjects.

6. Legitimate interest as a lawful basis

The DUAA introduces "recognised legitimate interests" as a lawful basis for data processing. This could simplify compliance in many marketing scenarios, reducing red tape and allowing teams to focus on creative, impactful campaigns.

7. ICO’s increased powers

The Information Commissioner’s Office (ICO) now has greater authority, including the power to compel witnesses and issue substantial fines—up to £17.5 million or 4% of global turnover for breaches, aligning with UK GDPR.

8. Phased implementation

A key aspect of the new Act for our members is its implementation – which we will be monitoring and reporting on. The Act’s provisions will be rolled out in phases, with most changes expected within six months of Royal Assent, but full implementation could take up to a year. We will develop a timeline for our members so they can prepare for a staggered compliance journey. Those wanting to stay ahead of the curve may wish to also create a DUAA compliance roadmap, prioritising updates to privacy notices and consent mechanisms in line with the phased rollout, to ensure no disruption to ongoing marketing activities.

9. Importance of data protection assessments

The ICO will be developing new impact assessments to help organisations comply, especially when deploying new technologies like AI. Marketers should leverage these resources to future-proof their data strategies and maintain customer trust.

10. CIM support and strategic guidance

To support members throughout the phased implementation of the DUAA, CIM will maintain close collaboration with the ICO and relevant government bodies, ensuring members receive timely and practical guidance. This will include the publication of an exclusive timeline detailing key implementation dates, alongside sector-specific updates.

We are committed to bridging the gap between marketers and regulators, enabling our members to remain both compliant and confident. I encourage all members to make full use of CIM’s evolving resources, training opportunities, and reports.

Looking ahead

As the DUAA comes into force, marketers are uniquely positioned to lead the way in building customer trust while driving innovation. “The Act is about building a framework where data can be used with confidence, for the benefit of people and the economy,” Information Commissioner John Edwards emphasised. Now is the time to review data practices, update consent mechanisms, and invest in staff training. By embracing these changes, marketing teams can unlock new opportunities while safeguarding the trust that underpins every successful campaign.

Final thoughts

The DUAA is not just a compliance exercise, it’s a chance for marketers to differentiate themselves. Those who act early, communicate transparently, and put customer interests at the heart of their data strategies will be best placed to thrive in this new landscape. As John Edwards, UK Information Commissioner, puts it: 

“The Data [Use and Access] Act 2025 gives organisations using personal information new and better opportunities to innovate and grow in the UK, and further enhances our ability to balance innovation and economic growth with strong protections for people’s rights. Our goal is to ensure that data can be used confidently and responsibly to deliver better services, drive economic growth, and uphold public trust.” 

My advice? Consider the act as an invitation to elevate your voice or personal brand by championing responsible data use, building stronger brands, foster loyalty, and set new standards for the industry - demonstrating that innovation and trust can go hand in hand.

To always stay up to date and current in the fast-paced marketing world, become a Chartered Marketer today. Chartered Marketer status is the ultimate mark of a professionally certified marketer, demonstrating your commitment to responsible marketing practices and willingness to embrace emerging trends and new developments to stay competitive.