What is the Data Use and Access Act 2025?
The Data Use and Access Act 2025 (DUA) is the Government's post-Brexit reform of UK data protection law, replacing the failed Data Protection and Digital Information Bill. It amends:
- UK GDPR — Modifications to consent, legitimate interests, and data subject rights
- PECR 2003 — Cookie consent changes, updated direct marketing rules
- Data Protection Act 2018 — ICO powers and structure updates
The Act introduces Smart Data schemes (building on Open Banking), establishes a digital ID framework, and creates new National Underground Asset Register requirements.
Key PECR Changes for Telecoms
The most impactful changes for communication providers relate to PECR amendments:
PECR Before DUA 2025
- Consent required for all non-essential cookies
- Soft opt-in limited to existing customer relationships
- B2B marketing required individual consent
- Analytics cookies treated same as advertising
- No distinction between service and tracking cookies
PECR After DUA 2025
- First-party analytics exempt from consent
- Soft opt-in expanded to B2B communications
- Corporate subscriber can consent for employees
- Clear separation: functional vs tracking cookies
- "Recognised legitimate interests" for essential processing
Cookie Consent Changes
| Cookie Type | Before DUA 2025 | After DUA 2025 |
|---|---|---|
| Strictly necessary (login, security) | No consent required | No consent required (unchanged) |
| First-party analytics | Consent required | No consent required |
| Third-party analytics (Google Analytics) | Consent required | Consent still required |
| Advertising/tracking | Consent required | Consent still required |
| Preference cookies | Consent required | Legitimate interest may apply |
Direct Marketing Amendments
The DUA modifies PECR's direct marketing rules:
- Soft opt-in expansion — Now applies to B2B relationships where you have a corporate subscriber's details through a sale or negotiation
- Corporate consent — A company can give blanket consent for its employees to receive marketing
- TPS checking — Still mandatory for unsolicited marketing calls, no change
- Express consent — Still required for SMS/email marketing to individuals without prior relationship
Implementation Timeline
Action Items for Telecom Providers
Update Cookie Banner
Revise cookie consent mechanism to reflect first-party analytics exemption. Remove unnecessary consent requests.
HIGH PRIORITYReview Marketing Processes
Update B2B marketing workflows to leverage expanded soft opt-in. Ensure proper documentation of relationship basis.
HIGH PRIORITYUpdate Privacy Policy
Revise privacy policy to reflect DUA changes: legitimate interests explanations, new cookie categories, Smart Data references.
MEDIUM PRIORITYLegitimate Interests Assessment
Document LIAs for processing now covered by "recognised legitimate interests" in DUA. Maintain evidence.
MEDIUM PRIORITYStaff Training
Train marketing and customer service teams on new B2B soft opt-in rules and consent requirements.
MEDIUM PRIORITYMonitor Smart Data Developments
Track DSIT announcements on sector designation. Prepare for potential Smart Data requirements in telecoms.
LOW PRIORITYSmart Data: Future Implications
The DUA establishes a framework for Smart Data schemes, allowing customers to securely share their data with authorised third parties. While Open Banking pioneered this in financial services, telecoms may be designated in future:
Potential Telecom Applications
- Bill comparison — Customers share usage data with comparison sites for accurate quotes
- Credit scoring — Telecoms payment history shared with lenders (with consent)
- Service bundling — Third parties aggregate multiple telecom services
- Business analytics — Companies analyse communications spend across providers
Preparation Steps
- Understand current data export capabilities and API infrastructure
- Review data portability obligations under existing GDPR Article 20
- Monitor DSIT consultations on telecom sector designation
- Assess technical readiness for secure third-party data sharing
ICO Enforcement Under DUA
The DUA maintains ICO's enforcement powers with some modifications:
- Maximum fines — £17.5 million or 4% of global turnover (unchanged)
- PECR fines — Up to £500,000 for serious PECR breaches
- New streamlined process — ICO can issue some penalties without full investigation
- Appeals — New First-tier Tribunal process for penalty appeals
Relationship with Existing PECR Compliance
If you're already PECR compliant, the DUA changes are relatively minor adjustments:
- Your existing TPS/CTPS checking processes remain unchanged
- Consent mechanisms for individuals remain unchanged
- CLI requirements and traffic data rules unchanged
- Main changes: B2B marketing becomes easier, first-party analytics simplified
See our full PECR compliance guide for the complete framework.
Part of the UK Telecom Compliance Hub
Return to the main compliance guide for the complete framework covering Ofcom GC, Security Act, AIT prevention, and more.
Stay Compliant with DUA 2025
TELECOM COMPLIANCE provides automated compliance monitoring across PECR, UK GDPR, and DUA requirements. Get alerts on regulatory changes affecting your operations.
Request Assessment