Data Protection Law Changes in 2026

  • January 28 2026

On International Data Protection Day we look ahead to explore important changes requiring your attention this year.

The Data (Use and Access) Act 2025 (DUA) received Royal Assent on 19 June 2025. It changes data protection laws in order to promote innovation and economic growth and make things easier for organisations, while still protecting people and their rights. Commencement began in 2025 and all the acts provisions will be in force by the end of June 2026.

New Exception for Website Analytics

The DUA Act introduces new exceptions to the Privacy and Electronic Communications Regulations 2003 (PECR) on the use of storage and access technologies, like cookies.

The new ‘statistical purposes’ exception removes the explicit consent requirement that covers basic usage of web analytics, but still requires organisations to “provide the user or subscriber with clear and comprehensive information about the purpose, and a ‘simple and free’ means to object”.

This may allow websites to have simplified, less intrusive consent banners that focus on marketing and tracking consent, while functional cookies can be accepted automatically.

Although the ICO has updated its guidance to include the new exceptions, this change to PECR is not in force yet.

Charity Marketing Soft opt-in

PECR prohibits organisations from sending unsolicited marketing emails and text messages without the recipient’s consent. Businesses benefit from a soft opt-in, allowing them to send marketing messages to individuals that have previously purchased from them.

DUA extends the soft opt-in to charities, allowing them to send unsolicited marketing messages to individuals who have previously shared their contact details to express an interest in the charity’s purpose or to offer support.

The Direct Marketing Association, supported by a number of well known charities, estimates that this will increase annual donations in the UK by £290 million.

  • The soft opt-in does not apply yet, but will be in force by June 2026.
  • The new rule applies to emails and texts but not phone calls.

See the ICO’s draft guidance: What can we do to prepare for the charitable purpose soft opt-in?

This is a good opportunity to review CRM and other IT systems that store supporter’s data and their preferences to ensure that they are robust. For example, it must be possible to separate people that have given consent for marketing email from people who will receive it under the soft opt-in.

AI Research and Automated Decision Making

A number of DUA Act provisions aim to promote innovation, including AI activities within the UK. Adjustments to UK GDPR confirm that commercially funded, private sector, scientific, AI research can take advantage of scientific research exemptions.

Automated decision making (ADM) is where decisions are made without human involvement. Organisations are increasingly using AI to help with their ADM. DUA relaxes the current UK GDPR rules, allowing organisations to use ADM and rely on legitimate interest or other legal bases, removing the requirement for consent.

However, the existing safeguards for individuals regarding ADM have been kept. They require organisations to provide individuals with information about automated decisions and enable them to obtain human intervention where decisions are contested.

Aligned Breach Reporting Timeline

The requirement to report personal data breaches under PECR has now been aligned with the UK GDPR and DPA. You must notify the ICO within 72 hours of becoming aware of the essential facts of the breach.

Data Controllers Must Handle Complaints

DUA introduces an explicit requirement for data controllers to handle complaints from individuals if they think their rights under the UK GDPR have been infringed.

A complaint cannot be referred to the ICO until the organisation’s own process has been followed, unless the ICO considers a matter exceptional enough to intervene directly.

Data controllers are required to:

  • Have a process for handling data protection complaints
  • Give people a way of making data protection complaints to you
  • Acknowledge receipt of complaints within 30 days
  • Take appropriate steps to respond to complaints without undue delay, including making appropriate enquiries, and keep people informed
  • Inform the data subject of the outcome without undue delay

On a related note, the DUA Act makes it clear that only reasonable and proportionate searches are required when individuals request access to their personal data via a subject access request (SAR). This change is already in law.

Organisations must have a complaints process in place by June 2026, so there is still time to update privacy notices, procedures and governance. The ICO’s draft guidance can be found on their website.

More Information

We’ve highlighted some important changes that come into force in 2026, introduced by the DUA Act. You can find out more by reading: The Data Use and Access Act 2025 (DUAA) – what does it mean for organisations?

Blueloop has the experience and knowledge to help your organisation with data management:

For all enquiries, please call 01460 271055 or use our enquiry form.

Previous Post
School Cyber Security: Protecting Data and Preventing Insider Threats