The UK's digital marketing landscape is undergoing significant changes in 2025, with new legislation impacting how businesses collect, process, and use personal data. Key developments include the introduction of the Data (Use and Access) Bill (DUA Bill) and amendments to the Privacy and Electronic Communications Regulations (PECR). These changes aim to balance innovation with privacy, but they also introduce new compliance requirements for online businesses.
Key Legislative Changes
- Data (Use and Access) Bill (DUA Bill)
The DUA Bill, introduced in late 2024, proposes targeted reforms to the UK's data protection framework. While it retains the core principles of the UK GDPR, it introduces several notable changes, including:- Recognised Legitimate Interests: The Bill amends Article 6 of the UK GDPR to permit data controllers to rely on "recognised legitimate interests" for processing personal data without conducting a legitimate interest assessment. These include processing for direct marketing, intra-group data sharing for administrative purposes, and ensuring network and information security.
- Expanded Special Category Data: The Secretary of State is empowered to introduce new types of special category data through secondary legislation, potentially including children's data.
- Enhanced Data Subject Rights: Privacy notices must now inform individuals of their right to lodge complaints, and there are provisions for more types of special category data.
- Privacy and Electronic Communications Regulations (PECR) Amendments
The PECR has been amended to align its enforcement powers with those under the UK GDPR. This means that breaches related to electronic marketing and cookie usage can now attract fines of up to £17.5 million or 4% of global turnover, whichever is higher. - Increased Scrutiny on Online Tracking
The Information Commissioner's Office (ICO) has intensified its focus on online tracking practices. In 2025, the ICO extended its audit of cookie compliance to the UK's top 1,000 websites, emphasizing the need for transparent and user-friendly consent mechanisms.
Implications for Online Businesses
These legislative changes necessitate several updates to existing GDPR and safeguarding policies:
- Privacy Notices: The updating of privacy notices to include information about new data subject rights, such as the right to lodge complaints, and any processing based on recognised legitimate interests.
- Data Processing Grounds: A review and documenting of the legal bases for data processing activities, particularly if relying on the newly recognised legitimate interests.
- Special Category Data: The monitoring of developments in the classification of special category data, especially concerning children's data, and ensure appropriate safeguards are in place.
- Cookie Compliance: Ensuring that cookie consent mechanisms are transparent, user-friendly, and compliant with the latest PECR requirements.
- Marketing Practices: A re-evaluation of marketing strategies to ensure they align with the updated legal framework, particularly concerning direct marketing and profiling activities.
Actionable Tips for Compliance
- Conduct a Data Audit: Map out all data processing activities to identify areas affected by the new legislation.
- Update Documentation: Revise privacy policies, data protection impact assessments, and records of processing activities to reflect legislative changes.
- Train Staff: Educate employees, especially those in marketing and data handling roles, about the new requirements and best practices.
- Engage with the ICO: Stay informed by regularly consulting the ICO's guidance and updates on data protection and electronic marketing.
- Seek Legal Advice: We specialise in data protection law so you don’t have to. We can help you ensure comprehensive compliance.
By proactively adapting to these legislative changes, online businesses can not only ensure compliance but also build trust with their customers through enhanced data protection practices.
The information provided in this article is provided for general information purposes only, and does not provide definitive advice. It does not amount to legal or other professional advice and so you should not rely on any information contained here as if it were such advice.
Wright Hassall does not accept any responsibility for any loss which may arise from reliance on any information published here. Definitive advice can only be given with full knowledge of all relevant facts. If you need such advice please contact a member of our professional staff.
The information published across our Knowledge Base is correct at the time of going to press.
