Data law | UK Regulatory Outlook July 2025

UK updates 

Data (Use and Access) Act 2025: official resources  

The Data (Use and Access) Act 2025 became law on 19 June 2025. We have published an Insight covering some of the changes the new law brings to the UK data landscape.  

The Department for Science, Innovation and Technology has published a collection of resources on the new Act: 

• Data (Use and Access) Act 2025: factsheets (covering the UK GDPR, the Data Protection Act 2018, the Information Commissioner's Office (ICO), and the Privacy and Electronic Communications Regulations (PECR)).
• Data (Use and Access) Act 2025: data protection and privacy changes.
• Data (Use and Access) Bill: factsheets (covering the topics of growing the economy, improving public services, and making lives easier). 

See also the ICO's own materials covering changes that the new Act makes on data protection, PECR, and the ICO, including useful detailed summaries. The ICO also sets out plans for publishing new and updated guidance flowing from the Act, including a timetable which indicates that there will be public consultations on some of the proposed updated guidance. Areas for public consultation include: 

• Automated decision making.
• Organisations' complaints handling processes.
• The new "recognised legitimate interests" lawful basis.
• Exceptions for research, archiving and statistics. 

ICO seeks views on its approach to regulating online advertising 

The ICO has published a call for views on its approach to enforcement of the regulation 6 consent requirements of the PECR. 

It is exploring whether there are scenarios where storage and access of information for certain advertising purposes can pose a low risk to users' privacy, potentially eliminating the need for consent. As the law currently stands, publishers deploying online advertising technologies must obtain consent, because their activities involve storing or accessing information on people's computers, mobiles and other devices. Storage and access technologies for online advertising purposes do not qualify for any of the exceptions to regulation 6 requirements.  

Although the ICO acknowledges that some online advertising will always necessitate consent, it is also considering whether a risk-based approach to enforcing PECR could enable publishers to deliver online ads to users without consent, provided that the privacy risk is low.  

The call for views closes on 29 August 2025. 

In early 2026, the ICO intends to publish a statement identifying advertising activities that are unlikely to trigger enforcement action under PECR, considering safeguards it would expect to reduce risks to users. This is in line with its 2025 online tracking strategy – see this MarketingLaw article for more.  

ICO seeks views on its updated guidance on cookies and other storage and access technologies 

The ICO has also launched an updated consultation on its draft storage and access technologies guidance (previously known as the "detailed cookies guidance"). As a reminder, the ICO originally consulted on this draft guidance in a consultation that closed in March 2025.  

It has now added a new chapter which updates the guidance following the introduction of the Data (Use and Access) Act 2025 and the exemptions it contains from requiring consent for cookies relating to low-risk functions, such as, for example, statistical analysis and website improvement. This follow-up consultation closes on 26 September 2025, after which the revised guidance will be finalised. 

ICO publishes call for views on international transfers guidance 

The ICO has published a call for views to gather input on its current guidance on international transfers. The regulator wants to understand what sort of changes to the guidance might make it quicker and easier for businesses to transfer personal data safely. This follows on from a commitment made by the ICO in its response to the government's request for proposals to foster sustainable economic growth.  

EU updates 

EDPB and EDPS publish joint opinion on proposed simplification measures for SMEs and SMCs 

A joint statement was issued by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) in response to the EU Commission's proposal to amend data protection laws, including the EU GDPR, to simplify regulatory requirements for small and medium-sized enterprises (SMEs) and small mid-cap enterprises (SMCs). See this Regulatory Outlook for more. 

The EDPB and EDPS support the general objective to simplify, provided it does not result in diminishing the right to protection of personal data. They note that the proposal does not include an assessment of the consequences on fundamental rights (which they say should have been carried out) and make recommendations including clarifying in the recitals that: 

• A record of processing will only be mandatory for processing "likely to result in a high risk" to privacy.
• Processing under Article 9(2)(b) GDPR (exemption to processing special category personal data in order to comply with employment, social security and social protection laws) will not require a processing record to be maintained, unless it is likely to result in a high risk to privacy.
• The term "organisation" does not include public authorities and bodies. 

The EDPB and EDPS also recommend that there should be reference in the amended Article 30(5) GDPR to the newly introduced definitions of SMEs and SMCs. They ask why the threshold of organisations with fewer than 750 people employed is appropriate for the GDPR, and why the threshold of 500 employees, which came out of an informal consultation by the Commission with the EDPB and the EDPS, has been estimated as too low.