Data law | UK Regulatory Outlook October 2025

UK updates 

ICO consults on new 'charitable purpose soft opt-in' under DUA Act 

The Information Commissioner's Office (ICO) has published a consultation on its approach to the new charitable purpose soft opt-in. The new direct marketing exception for charities stems from section 114 of the Data (Use and Access) Act 2025 (DUA Act), which will add regulation 22(3A) into the Privacy and Electronic Communications Regulations 2003 (PECR). This change is not yet in force, and the ICO expects it to take effect in January 2026. 

Generally, under PECR, organisations must obtain people's consent to send them marketing by electronic mail, for example, emails or texts. The existing regulation 22(3) provides an exception to this consent. This exception (commonly known as the "soft opt-in") covers the situation where someone provides their contact details in the course of buying (or "negotiating" to buy) something from a company, and does not opt out of receiving marketing messages at the time of providing their details or subsequently. The company is allowed to send them marketing messages by email for similar goods/services. 

Because the existing soft opt-in is limited to a goods/services situation, it does not cover a scenario where a charity wants to contact someone about the charity's objectives. The new "charitable purpose soft opt-in" will partly fill this gap by allowing charities to send electronic mail without people's prior consent for marketing purposes where:  

• the only purpose of the marketing is to support one or more of the charity's charitable purposes;
• the charity collected the person's contact details when that person was showing interest in one or more charity's charitable purposes at that time, or offering or providing support for one or more of those purposes; and
• the person has been given an easy way to "opt out" (free of charge except for the costs of sending the refusal), both when the details were first collected and, if the person did not initially refuse, with each future marketing message. 

The ICO highlights that the exception is unlikely to allow charities to send electronic mail marketing to people whose contact details they collected before the "charitable purpose soft opt-in" becomes effective. 

The feedback to the consultation (which closes on 27 November 2025) will assist the ICO with updating the relevant sections of its existing guidance on direct marketing and privacy and electronic communications. 

ICO survey on advice when sharing data to prevent, detect and investigate scams and fraud  

In November 2024, the ICO published the sharing personal information when preventing, detecting and investigating scams and frauds advice. The regulator is now running a survey to gather feedback on this guidance to understand its impact, how it has supported data sharing and ways in which it can be improved.  

The survey closes on 31 December 2025.  

Clearview AI face recognition case: Upper Tribunal rules that Clearview processing falls within GDPR 

See AI section.

EU updates 

EDPB guidelines on the interplay between the DSA and the GDPR 

The European Data Protection Board (EDPB) has published draft guidelines on the interplay between the Digital Services Act (DSA) and the General Purpose Data Protection Regulation (GDPR). 

The guidelines aim to facilitate consistent interpretation and application of the DSA and the GDPR. The DSA contains a number of provisions that relate to data protection, such as those referring to "profiling" and "special categories of data", and has implications for the processing of personal data by the intermediary service providers that the DSA regulates. 

The guidelines explain how the GDPR should be applied in the context of the DSA provisions, such as notice-and-action systems for reporting illegal content, recommender systems used by online platforms, the provisions to protect minors, transparency of online advertising, and the prohibition of profiling-based advertising using special category data. 

The guidelines are subject to a consultation closing on 31 October 2025.  

European Commission and EDPB draft joint guidelines on interplay between the DMA and the GDPR  

The Commission and the EDPB have published draft joint guidelines on interplay between the Digital Markets Act (DMA) and the GDPR. The aim will be to improve clarity and certainty for businesses in the EU when complying with both the DMA and the GDPR, particularly where they overlap. 

Areas covered by the draft guidelines include the provisions in the DMA on the combination and portability of users' data (which involves processing personal data and therefore also requires compliance with the GDPR), and the DMA provisions relating to alternative app stores and distribution channels for apps (in relation to which gatekeepers can only put measures in place that are strictly necessary and proportionate and that comply with the GDPR).  

The consultation closes on 4 December 2025.  

Formal withdrawal of proposal for e-Privacy regulation  

The Commission has formally withdrawn its proposal for a new e-Privacy Regulation, as it indicated in its 2025 Work Programme, by publishing its decision in the Official Journal of the EU. The proposal was withdrawn due to there being no agreement among co-legislators and the proposal being outdated because of the introduction of other technology legislation. 

Simplifying EU rules on data and cybersecurity 

The European Commission has published a call for evidence, which closed on 14 October 2025, as part of research on how to simplify legislation in the upcoming Digital Omnibus, focusing on areas including AI, data and cybersecurity. See AI section for AI-related proposals.  

The Digital Omnibus will include measures targeting problems and seeking simplification in various areas, including the "data acquis" (the Data Governance Act, Free Flow of Non-Personal Data Regulation and the Open Data Directive), rules on cookies and other tracking technologies in the ePrivacy Directive, cybersecurity related incident reporting obligations and other aspects related to electronic identification and trust services under the European Digital Identity Framework. This will focus on: 

• The outdated nature of some of the rules and the need for further coherence and predictability.
• The issue of a "data acquis" which is fragmented so that rules that logically concern the same areas, such as the access to and re-use of public sector data, are split across multiple instruments, adding unnecessary complexity, in particular for smaller and mid-cap companies.
• Rules to foster the uptake of data sharing mechanisms that are perceived as unnecessarily complex or unclear and as challenging for scaling up such mechanisms. This is partly because current legislation foresees special rules to support SMEs, but not small mid-caps, creating a "cliff edge".
• Outdated rules on cookies/tracking technologies, which require pragmatic and immediate clarifications to limit consent. 

The objective is to reduce the administrative costs of compliance including by: 

Data 

• Reducing compliance costs in relation to the access, use and sharing of data by reducing fragmentation of rules and their application, clarifying the rules and requirements, and by cutting obligations where a less costly alternative exists.
• Minimising costs of businesses reporting cybersecurity and data-related incidents through streamlined reporting processes. 

Cookies 

• Facilitating the use of cookies and other tracking technologies, reducing cookie consent fatigue and strengthening users' rights, with clear and straightforward information and options for managing cookies.
• Pursuing a stronger alignment between rules on cookies and data protection law, potentially including modernised rules on cookies. 

Cybersecurity 

• Simplifying compliance with the requirements for incident and data breach reporting where these are regulated by different EU-level rules (whether horizontal or as part of sector specific frameworks) and their transposition at national level.
• Use of reporting tools. 

EDPB announces topic for 2026 coordinated action 

The EDPB has unveiled the topic for next year's coordinated enforcement action (CEA). The focus for 2026 will be compliance with the GDPR's obligations on transparency and information (in other words, compliance with GDPR Articles 12, 13 and 14). This means that the EDPB will prioritise it as an area for national data protection authorities to work on at Member State level. The results of these national actions will then be aggregated and analysed to generate deeper insight into the topic. If warranted, this might eventually lead to targeted follow-up at both national and EU level in this area. 

The EDPB's CEA for the current year has been the implementation of the right to erasure (right to be forgotten) by controllers (see this Regulatory Outlook).