The UK’s Data Use and Access (DUA) Act is on its way to becoming law, with Royal Assent expected before Parliament’s summer recess. While the Act isn’t a complete overhaul of existing UK GDPR or PECR rules, it introduces a number of meaningful updates that will affect how organisations handle data, especially around cookies, consent and digital transparency.

The changes cover a broad range of topics: from adjustments to how automated decisions are made, to updates on Data Subject Access Requests (DSARs), marketing practices, digital ID frameworks, and how data is reused. Most provisions won’t take effect immediately, but businesses are being advised to start preparing now.

Cookies: A Clear and Immediate Opportunity

One of the most practical updates is around the use of cookies and similar technologies. Currently, websites must get consent for almost all cookies unless they are strictly necessary. Under the DUA Act, this will change. Low-risk cookies—such as those used for basic analytics, performance tracking, or user interface improvements—will no longer require consent if:

•    Clear information is provided to users, and
•    There’s a straightforward way to opt out

This gives organisations a chance to streamline the user experience while still respecting privacy. But it also means reviewing your current cookie practices and ensuring your policies and consent tools are ready to align with these new rules.

What Are Cookies, and Why Do They Matter?

Cookies are small text files placed on a user’s device when they visit a website. They help sites remember things like login status or preferences, and provide valuable insights into how visitors use a site. Cookies don’t access users’ hard drives or collect sensitive information. They’re simply tools to enhance the web experience, essential for delivering a smooth and efficient online journey. But because they involve user data, they fall under privacy laws—so how they’re used, and whether consent is needed, still matters.

AAAnow.ai’s Cookie Use: Transparent and Simple

AAAnow.ai uses cookies in a clear and responsible way:

Analytics: to understand how visitors interact with the site—what’s popular, how often users return, and where improvements are needed.
Personalisation: to remember settings and tailor the user experience.

Importantly, cookies on the site do not access your hard drive or collect sensitive data. And if users prefer not to be tracked, they can simply opt out by emailing the team at info@AAAnow.ai.

Why Get Ahead?

While most of the DUA Act’s changes won’t be enforceable right away, now is the time to act—especially in areas like cookies, where the rules are already being clarified.

Notably, fines for breaching cookie and marketing rules under PECR are increasing to match UK GDPR levels—up to £17.5 million or 4% of global annual turnover. That’s a high price for getting consent wrong.

In Summary

The article from the Data Protection Network outlines 15 key changes under the DUA Act, the most important of which were recently highlighted by Philippa Donn in a LinkedIn post.

• Automated decision-making rules relaxed
• Marketing ‘soft opt-in’ extended to charities
• 'Low-risk' cookies will no longer need consent
• New requirement to have a data protection complaints procedure
• Legal clarity on handling DSARs
• Much bigger maximum fines for breaking marketing and cookie rules
• Recognised legitimate interests
• Specific compatible purposes
• Revised definition of scientific research
• New Information Commission

Her advice is simple:

“While significant, this legislation does not usher in radical changes… but organisations would be wise to keep up with developments.”

Key Takeaways:

•    The DUA Act won’t change everything overnight, but it will introduce gradual changes worth preparing for

•    Cookie rules are easing in some areas, but transparency and user control still matter

•    AAAnow.ai already demonstrates a best-practice approach

•    Start now, stay ahead, and reduce risk as enforcement tightens in the months ahead

AAAnow.ai is committed to staying ahead of evolving data regulations, ensuring its users are informed, protected, and supported every step of the way.

Further reading: To explore the new rules and regulations in more detail, read the full article by Philippa Donn from the Data Protection Network: 
DUA Act 2025: 15 key changes ahead - A practical summary of what’s changing under the new legislation and what organisations should start preparing for. https://dpnetwork.org.uk/dua-act-key-changes-ahead/