The Data (Use and Access) Bill Passes in the House of Lords

The Data (Use and Access) Bill has now passed the House of Lords and is expected to receive Royal Assent from the King in the coming days or weeks. When it does, this landmark piece of legislation will become law, ushering in one of the most significant updates to the UK’s data protection framework since GDPR.

While most of the Bill was agreed with broad cross-party support, its final passage was delayed by a disagreement—commonly known as “ping pong”—between the Commons and the Lords over Baroness Kidron’s amendment concerning copyright protections in the age of AI. The House of Lords ultimately conceded to the authority of the elected chamber, clearing the way for the legislation to progress.

The DMA will be providing updated guidance, resources and training opportunities to help members prepare for the incoming changes. As the new rules come into force, our policy and compliance teams are on hand to assist with interpretation and implementation. Whether you need strategic advice or practical tools, the DMA will help ensure you can both meet your regulatory obligations and take full advantage of the opportunities it creates for your business.

Many of the important changes in the Bill are there because of the DMA and our members’ direct involvement. Across two governments, the DMA has worked closely with Ministers, departmental officials, and Parliamentarians to shape the Bill in a way that supports responsible data-driven growth. CEO Chris Combemale chaired the Secretary of State’s Business Advisory Group; DMA-hosted roundtables enabled members to speak directly with government; and several Lords actively championed DMA-proposed amendments, referencing them in debate. These key changes—driven by input from DMA members—reflect our longstanding aim to balance innovation with privacy, fuelled by the customer-first principles in the DMA Code. Below are some of the key changes.

Greater Certainty on the Use of Legitimate Interests

The most important reform to DMA members is the greater certainty around the use of Legitimate Interests as a lawful basis. Article 6.1(f) has been amended to include specific examples—drawn from Recitals 47, 48 and 49 of UK GDPR—that list direct marketing, intra-group administrative transfers, and network security as activities that may rely on Legitimate Interests. This improves clarity in the main legislative text and aligns with recent case law, including the Experian ruling, which confirmed the need for proportionality and recognition of the benefits of direct marketing. The DMA strongly supported this amendment, which helps remove confusion caused by overly cautious legal interpretations since UK GDPR was implemented. Research shows 79% of businesses would be more likely to use this lawful basis if clearer guidance was available. This change supports growth while maintaining individuals’ unfettered right to object to marketing at any time.

Soft Opt-In Extended to Charities

This is a critical amendment for charity members and restores a soft opt-in for email and SMS communications where supporters have provided their details in the course of expressing interest or providing support. It aligns charity communications with the exemption that has existed since 2003 for commercial organisations. The change was reintroduced at Lords Report stage following a DMA intervention, supported by statements from 22 charities and a letter to Secretary of State Kevin Hollinrake. Analysis by the Salocin Group and Wood for the Trees found that enabling email contact could increase annual charitable donations by up to £290 million across the UK. With clear opt-out options still required at the point of data capture, this reform offers charities a powerful tool to better engage supporters and grow income responsibly.

Cookies Reform: Simpler Consent, Fewer Banners

Both governments shared a commitment to reducing interruptive and ineffective cookie consent banners. While DUA doesn’t eliminate consent requirements entirely, it introduces specific exemptions that bring meaningful change. Cookies used for strictly necessary purposes, internal statistical analysis, improving functionality, security updates, or emergency assistance will no longer require consent. These exemptions particularly benefit websites without advertising, such as B2B services, ecommerce platforms, and charities, who may now be exempt from banners altogether. Even where consent is still needed, banners will be simpler, easier to manage, and offer fewer confusing choices. This improves user experience and reduces operational costs.

Enabling Beneficial AI and Automated Decision-Making

Amendments to Article 22 clarify that automated decision-making may continue where it is beneficial and low risk. The strongest restrictions are limited to cases involving special category data. Significant decisions based solely on automated processing will now be permitted if individuals are informed about the decision, can make representations, and can obtain human review or contest the outcome. This ensures that marketing and customer insight activities, such as product recommendations or segmentation, can continue under fair safeguards. “Solely automated decision-making” and “significant effects” are now defined with the same meaning as in the DPA 2018, providing continuity and clarity.

Unified Codes of Conduct for UK GDPR and PECR

The DMA has worked with the ICO for several years on a Direct Marketing Code of Conduct. Previously, ICO lawyers determined that UK GDPR could not cover PECR issues within a single document, but the DUA changes that. The Bill enables Codes of Conduct under PECR to be incorporated into the same document as those under UK GDPR. This allows for collaborative, sector-specific regulation backed by an independent monitoring body—the Data and Marketing Commission—which will adjudicate on complaints about Code Signatories. This reform ensures that the Code can cover the full spectrum of marketing activities, from segmentation to email delivery, enhancing both consumer protection and business clarity.

ICO Modernisation

The structure and remit of the Information Commissioner’s Office will be modernised under the Bill. The ICO will transition from a corporation sole to a corporate body known as the Information Commission, overseen by a Chair and non-executive board. Crucially, the ICO will now be required to consider the public interest in promoting innovation and competition alongside privacy and data protection. This aligns with Recital 4 of UK GDPR and the principles of the DMA Code. It is intended to support more balanced decision-making and a better understanding of the real-world implications of data regulation.

Boosting Research and Innovation

The Bill expands the definition of scientific research to explicitly include commercial activity. This means that market research, product development, and technological innovation—whether privately or publicly funded—can now benefit from the same legal privileges as academic research. The reforms also apply to processing for statistical purposes where the resulting information is anonymised and not used to make decisions about individuals. This provides legal certainty and reduces compliance burdens for research-led businesses. It’s a positive step for driving UK innovation and growth.

PECR Enforcement Aligned with UK GDPR

The maximum penalties for breaches of PECR—covering nuisance calls, emails and texts—will now be brought in line with UK GDPR: up to £17.5 million or 4% of global turnover. This is a significant increase from the previous cap of £500,000. It aligns enforcement across the two frameworks and sends a clear signal that poor practices will be met with serious consequences. Ethical, compliant marketers will benefit from a more level playing field and greater public trust.

Direct Marketing Legally Defined Across All Laws

The legal definition of direct marketing from DPA 2018—“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”—has now been added into the text of both UK GDPR and PECR. This creates legal clarity and consistency across the key data protection frameworks. It ensures all parties—regulators, businesses, and the public—are working from a shared understanding of what direct marketing entails. This will reduce compliance uncertainty and support better regulatory outcomes.

EU Data Adequacy Preserved

The Bill has been drafted to maintain full consistency with core EU data protection principles and European Court of Justice rulings. This is essential for preserving the UK’s adequacy status, which enables the free flow of personal data from the EU to the UK. DMA members consistently identified this as the most critical risk of any UK data reform. The government’s approach reflects legal clarity and alignment with risk-based, proportionate interpretation, helping ensure UK organisations remain competitive in global markets.

.

DMA Guidance & Support

Resource: Do Data Right With the New DMA Data Protection Templates

With the imminent passage of the Data (Use and Access) Bill, as well as the prospect of AI regulation, organisations face renewed pressure to ensure their data practices are not only compliant but also transparent, ethical, and customer-centric.

In response, the DMA is proud to launch a powerful new suite of data protection templates, exclusive to DMA members, to help businesses “Do Data Right” in accordance with the DMA Code.

These templates, alongside the DMA Legal Helpdesk, give members peace of mind, expert support, and a pathway to compliance in a changing legal environment. Download them here.

.

Upcoming Webinar: How to Maximise Email Marketing for Charities in the Soft Opt-In Era

The introduction of the soft opt-in for the charity sector unlocks a significant opportunity. The ability to engage more supporters, build stronger relationships, and unlock an estimated £290 million in additional annual fundraising.

How can charities make the most of this change while ensuring full compliance?

Join the DMA and Wood for Trees, part of the Salocin Group, on 9 July for a practical, insight-driven webinar that explores:

• Understanding the soft opt-in: What it means, how it differs from consent, and how to apply it effectively.
• Navigating compliance: Creating consent mechanisms that align with evolving regulations.
• Building a strong data foundation: Optimising supporter data for compliant, impactful email marketing.
• Crafting high-performing email strategies: Creating personalised, data-led journeys that drive long-term supporter engagement.

Book your spot to discover how to turn this regulatory change into fundraising growth.