)
Dr Karen Mc Cullagh
The Data (Use and Access) Act 2025 (DUAA) marks the most significant overhaul of the UK’s e-privacy landscape in more than a decade. It amends the Privacy and Electronic Communications Regulations 2003 (PECR), the Data Protection Act 2018 (DPA 2018) and, indirectly, the UK GDPR. These reforms modernise outdated statutory language, adjust long-criticised rules on electronic communications and cookies, and create a more flexible framework for low-risk technologies.
For charities, the most noteworthy development is the introduction of a charitable-purpose soft opt-in, which partially addresses longstanding concerns about the burden PECR placed on fundraising communications. Yet while the reforms bring welcome clarity in some areas, they also create new operational and policy challenges that organisations will need to navigate carefully.
For readers wishing to examine the amendments in detail, Bird & Bird LLP has produced Keeling schedules showing precisely how the DUAA modifies existing legislation, including the UK GDPR, the DPA 2018 and PECR.
Modernised Definitions
DUAA modernises several definitions in PECR that had become misaligned with modern communications infrastructure. Under the original 2003 drafting, concepts such as “call”, “communication” and “recipient” reflected a world of basic telephony rather than multi-layered routing systems, automated diallers and fragmented digital advertising ecosystems.
DUAA remedies these deficiencies by inserting the DPA 2018 definition of “direct marketing” (section 110 DPA 2018) into PECR and by expanding “call” to include an attempt to make a connection. “Communication” is broadened to cover any information transmitted, regardless of whether it is received, and “recipient” now includes intended recipients even if transmission fails.
These changes close gaps that organisations have struggled with for years and better reflect the technical realities of modern communications. However, they also expand the range of situations in which PECR obligations apply, increasing compliance risk in areas such as failed call attempts and undelivered digital messages.
Beyond updating terminology, DUAA also fundamentally reshapes how organisations handle cookies and tracking technologies.
A More Nuanced Approach to Cookies and Tracking Technologies
DUAA introduces a more risk-sensitive framework for cookies and similar tracking technologies. For years, PECR’s blanket requirement for consent—irrespective of purpose—fuelled “consent fatigue” and encouraged organisations to deploy over-inclusive cookie banners offering users little meaningful choice.
The new Schedule A1 responds by creating narrowly defined exemptions where consent is no longer required. These include low-risk activities such as statistical analytics aimed at improving service performance, security and fraud detection, technical diagnostics, and software maintenance or updates. By distinguishing between essential or low-risk technologies and higher-risk tools used for profiling, advertising, or cross-site tracking, the reforms move PECR closer to a proportionate, risk-based model.
However, this relief is paired with significantly enhanced enforcement powers. DUAA raises maximum penalties from £500,000 to £17.5 million or 4% of annual global turnover, aligning PECR with UK GDPR standards and substantially escalating compliance risk.
These changes sit alongside a restructuring of the regulator itself. DUAA transforms the Information Commissioner’s Office (ICO) into the new Information Commission, granting it a revised governance structure and enhanced investigatory tools, including the ability to compel witnesses and request technical audits. The result is a more empowered and assertive regulator.
While Schedule A1 provides welcome flexibility for low-risk analytics and user-interface personalisation, the exemptions operate as narrow, purpose-bound carve-outs rather than broad permissions. The statistical analytics exemption applies only where the sole purpose is to generate aggregate insights to improve a website or online service. Any capability that could facilitate advertising, attribution, behavioural profiling or cross-service enrichment disqualifies the technology and returns the activity to PECR’s standard consent requirement.
Similarly, the appearance and functionality exemption is limited to adjustments responding to a user’s expressed preferences—such as language, layout or theme—and cannot be used to infer interests or tailor content for marketing purposes.
In practice, organisations must configure analytics suites with ad features disabled, suppress or aggregate event-level identifiers rapidly, and ensure that third-party analytics providers contractually commit not to repurpose data for their own advertising or product-development objectives.
Although consent is not required for activities falling within Schedule A1, DUAA does not permit silent tracking. Organisations must continue to provide clear, comprehensive information about the nature and purpose of exempt technologies and offer a simple, free, one-step method to object. The ICO has indicated that an immediately visible toggle or settings control may satisfy this requirement, whereas burying opt-out mechanisms within layered menus is unlikely to do so.
Organisations adopting the new exemptions should therefore revisit their cookie notices, Consent Management Platform configurations and interface design to ensure that users can meaningfully exercise choice. In effect, the regime shifts from “ask first” to “tell clearly and let users switch off,” but with stringent expectations around transparency and accessibility.
From a policy perspective, this represents a cautious rather than radical shift. DUAA preserves opt-in consent for advertising technologies, third-party trackers and multi-purpose analytics suites. This reflects a continuing regulatory commitment to shielding individuals from behavioural surveillance and data-driven manipulation, even as the government seeks to reduce friction for legitimate low-risk uses.
A further challenge arises for organisations with a cross-border user base. DUAA’s exemptions apply only under UK law; the EU e-privacy regime has not adopted equivalent provisions. As a result, analytics or preference cookies that can be deployed without consent in the UK will still require consent for visitors located in the EU or EEA. Organisations offering services to, targeting, or inadvertently receiving traffic from EU users may therefore need to operate dual compliance regimes. Failure to distinguish these cohorts risks breaching EU e-privacy rules—even where an organisation is fully compliant in the UK.
The Charitable-Purpose Soft Opt-In
One of the most debated PECR anomalies concerned the soft opt-in, which historically was limited to commercial organisations and applied only where personal data was collected during the sale or negotiation of a sale of goods or services. Charities could rarely meet this threshold, even when a supporter’s engagement—such as making a donation or signing up to volunteer—mirrored a customer relationship in practice. As a result, charities relied heavily on explicit consent, contributing to supporter attrition, fragmented databases and reduced fundraising capacity.
DUAA addresses this disparity by inserting a new paragraph, Regulation 22(3A), into PECR. The provision allows a charity to send direct electronic marketing without prior consent where the individual provided their contact details while expressing interest in or supporting the charity’s purposes, the communication’s sole purpose is to further those purposes, and the individual was given a simple, free opt-out both at the point of data collection and in each subsequent communication.
The sole purpose requirement is intentionally narrow. It prevents charities from using the exemption to promote third-party products, commercial partnerships or even related entities unless the supporter engaged directly with that specific charity’s purposes. This safeguard aims to maintain public trust and prevent mission creep or cross-organisational data repurposing.
Implementation Challenges and Transitional Burdens
Although the DUAA has received Royal Assent, the PECR amendments—including the charitable soft opt-in and Schedule A1 cookie exemptions—are not yet in force. They will be commenced in phases by secondary legislation, with dates expected in late 2025 and 2026. Until each provision’s commencement date is announced, organisations must continue to comply with the existing 2003 PECR rules.
Importantly, the reforms are not retrospective. Contact details collected before commencement cannot be brought under the new soft opt-in unless they were collected in circumstances that already met the new conditions, including an opt-out at the point of collection. As a result, charities will need to maintain parallel marketing regimes: traditional consent-based communications for pre-commencement data, and soft-opt-in communications for new supporters meeting the updated criteria. This dual system will increase administrative burden in the short term and require careful Customer/Supporter Relationship Management configuration, particularly for larger organisations with long-standing supporter databases.
The effectiveness of the new soft opt-in will therefore depend not only on legal reform but also on how well organisations prepare to operationalise it. For some charities, particularly those with limited technical capacity, the cost-benefit analysis may not immediately justify a full shift to the new model. Over time, however, the regime should reduce unnecessary reliance on consent and support more regular and relevant engagement with supporters.
Conclusion
DUAA brings welcome modernisation to PECR and strikes a more proportionate balance between user protection and organisational flexibility. The charitable-purpose soft opt-in is a significant policy shift that acknowledges the distinct public-benefit role of charities and the constraints created by the previous consent model. Nevertheless, the reform’s narrow scope, strict purpose limitations and prospective application mean that compliance challenges will persist.
The ICO’s forthcoming detailed guidance—currently under consultation—will play a critical role in shaping how the sector adapts. In the meantime, organisations may find that a simplified, more transparent cookie architecture delivers both compliance and operational benefits. A practical approach is to maintain a lean analytics stack that falls squarely within Schedule A1, while continuing to obtain opt-in consent for all advertising, attribution or behavioural measurement activity. Embedded third-party tools—such as social media widgets or ad-funded video players—should be configured to avoid setting non-exempt cookies on page load and activate only when a user interacts with them.
Charities should therefore take proactive steps now: review supporter journeys, update data collection mechanisms, revise privacy notices, segment databases, and ensure governance systems can support the dual-regime transition. With thoughtful implementation, the charitable soft opt-in has the potential to rejuvenate supporter engagement while maintaining high standards of transparency and trust.