Athlex
Contact
Athlex

Tag: Data (use and Access) Act 2025

Cookie Compliance Under UK GDPR and DUAA 2025: What SMEs Need to Know

6 minutes read
Laptop showing a cookie consent banner with accept and reject options for UK cookie compliance

Cookies are a core part of modern web design. They keep your shopping cart items in place, remember your language preference and help websites understand how visitors use their pages. Yet cookies also raise significant privacy concerns. In the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) govern how organisations can deploy cookies. The forthcoming Data (Use & Access) Act 2025 (DUAA) strengthens these rules, making cookie compliance even more important for small and medium-sized enterprises (SMEs). This guide explains the types of cookies, why consent matters and how to align your practices with the law.

What Are Cookies and Why Do They Matter?

A cookie is a small text file placed on your device when you visit a website. Cookies help sites function properly, remember your preferences and understand how visitors interact with the site. For businesses, cookies enable analytics, personalise content and support targeted advertising. However, they also collect personal information such as IP addresses, device identifiers and browsing behaviour. Because this data can sometimes identify a person, it is subject to data protection laws.

The UK GDPR recognises that cookies involve processing personal data. Under PECR, organisations must obtain consent before storing or accessing information on a user’s device, except where the cookie is strictly necessary for the service requested by the user. Non-essential cookies – including those used for analytics, functionality and marketing – require valid consent. With regulators imposing higher fines and the DUAA raising the bar for accountability, SMEs cannot ignore these obligations.

Categories of Cookies

Understanding the different types of cookies helps you determine which require consent and how to communicate their purpose. The main categories are:

  • Strictly Necessary Cookies: These are essential for the website to function, for example for security and load balancing. They do not require user consent but must still be explained in your cookie notice.
  • Performance or Analytics Cookies: These cookies collect data about how visitors use your site, such as which pages they visit and how long they stay. Tools like Google Analytics fall into this category. Because they are not essential, you need consent before placing them.
  • Functionality Cookies: These remember user preferences and settings, such as language or region. They enhance the user experience but are not strictly necessary, so consent is required.
  • Marketing or Advertising Cookies: These track users across websites to display relevant ads and measure campaign performance. They often involve third parties and require explicit consent.

Knowing which cookies you use and why you use them is the first step towards compliance.

Consent Requirements Under UK GDPR

Consent under the UK GDPR must be freely given, specific, informed and unambiguous. Pre-ticked boxes, implied consent or bundling consent with other terms are not allowed. Users must understand what they are agreeing to and should be able to withdraw consent as easily as they give it. Your cookie banner should clearly state the categories of cookies, allow users to accept or reject each type and link to a detailed cookie policy.

Your cookie notice should explain what cookies are, list the cookies used on your site and describe their purpose, expiry and whether they are set by you or a third party. Athlex’s cookie notice outlines plans to provide a full list of cookie names, purposes and expiry dates. It also reminds users that they can manage preferences via the cookie banner or browser settings. Providing this level of detail helps build trust and meets regulatory expectations.

New Rules Under the DUAA 2025

The Data (Use & Access) Act 2025 introduces stricter requirements for cookie consent. The Act clarifies that cookie banners must be clear and separate from other requests. It confirms that pre-ticked boxes and implicit consent are not acceptable and that users must have a genuine choice and be able to withdraw consent as easily as they give it. These rules reinforce existing UK GDPR principles but emphasise enforcement. SMEs should audit their cookie practices now to prepare for these changes.

Third-Party Cookies and Marketing

Many websites rely on third-party services for analytics, advertising or social media integration. Third-party cookies may be set by companies like Google, LinkedIn or Mailchimp. When you use these services, you remain responsible for informing users about the cookies and obtaining consent. You should list each third party in your cookie notice and link to their own privacy or cookie policies. The DUAA’s focus on electronic marketing rules means that organisations that send targeted ads must be especially careful to document and manage cookie consents.

How to Achieve Compliance

  1. Audit Your Cookies: Identify all cookies used on your site, their purposes and whether they are first- or third-party. Pay special attention to scripts and plugins that may add cookies without your knowledge.
  2. Update Your Cookie Policy: Ensure your cookie policy is comprehensive and up to date. Use clear language to describe each cookie category and its purpose. Provide information about how users can manage their preferences and withdraw consent.
  3. Implement a Consent Management Platform: Use a compliant cookie banner that allows users to accept or reject cookies by category. The banner should not obstruct access to strictly necessary services and should not disappear until the user makes a choice.
  4. Record Consent: Keep records of user consent, including time stamps and the version of your cookie policy in place at the time. This documentation is essential if regulators investigate your practices.
  5. Review Third-Party Services: Check that your third-party providers also comply with the UK GDPR and DUAA. You may need to update contracts to ensure they assist with consent management and honour users’ choices.
  6. Monitor Changes: Cookie laws evolve. Follow updates from the Information Commissioner’s Office and review your cookie practices regularly. The DUAA is being rolled out in stages, so more guidance is expected in the coming months.

Benefits of Compliance

Beyond avoiding fines, strong cookie compliance improves user trust. Transparent communication about how you use data shows that you respect privacy. It can also improve the quality of your analytics because users who knowingly opt in are more engaged. Finally, compliance helps future-proof your business as regulators around the world tighten privacy rules.

Conclusion

Cookies are powerful tools that enhance websites but must be used responsibly. For SMEs, the combination of UK GDPR, PECR and the upcoming DUAA 2025 means that cookie compliance is no longer just a technical issue – it is a strategic imperative. By auditing your cookies, updating your policies, obtaining valid consent and keeping clear records, you can meet regulatory requirements and build lasting customer trust. Now is the time to get your cookie house in order before the new rules take effect.

 

A Complaints Revolution?

6 minutes read
What the Data (Use & Access) Act 2025 Means for Your Business
Hands holding a pen and checklist titled “Complaints Procedure” on a blue background, with a speech bubble icon and magnifying glass.

The UK’s data protection rules are changing again. Here’s what small and medium-sized businesses need to know about the new legal duty to handle data protection complaints and how to get ready.

Why this matters

The Data (Use & Access) Act 2025 introduces a major new responsibility for UK businesses. For the first time, organisations will be legally required to have a formal process for handling data protection complaints.

This means every business that processes personal data will need a clear way for people to raise concerns, and a plan for how those complaints are recorded, investigated and resolved.

The change builds on the existing UK GDPR and Data Protection Act 2018. It does not replace them, but it strengthens the rules around accountability and response times. The goal is simple: to make sure individuals can trust that their data rights are taken seriously.

If your business already manages data protection complaints properly, this may only mean a few small updates. But if you currently respond on an ad-hoc basis or tend to dismiss complaints that seem unfounded, it is time to make changes now.

The new duty in a nutshell

The Act received Royal Assent on 19 June 2025 and is being introduced in stages. The key stage for most organisations, current expected around 12 months from Royal Asset (so around mid- 2026), is the new legal duty to handle complaints.

Under this duty, you will need to:

  • Acknowledge data-protection complaints within 30 days and tell people what will happen next
  • Investigate and respond promptly, without unnecessary delay, explaining the outcome in plain language
  • Record every complaint and document how and when it was resolved
  • Train staff to recognise, log and properly escalate data-protection complaints

These rules apply to all organisations that process personal data, regardless of size or sector.

You can read the official rollout plan on GOV.UK https://www.gov.uk/guidance/data-use-and-access-act-2025-plans-for-commencement

Two ICO consultations shaping the change

The Information Commissioner’s Office (ICO) is currently running two consultations to help define what “good” looks like in complaint handling.

  1. Guidance for organisations, explaining how to set up and manage a complaint-handling process.
    Deadline: 19 October 2025
    ICO Consultation on Complaints Guidance for Organisations
  2. The ICO’s own complaint-handling framework, which outlines how the regulator will assess and respond to complaints once the law is in force.
    Deadline: 31 October 2025
    ICO Consultation on Changes to How We Handle Data Protection Complaints

The first consultation tells you what your business needs to do. The second explains how the ICO will respond to complaints and what data they will monitor.

The risk of inaction

This is more than a procedural update. The ICO has made it clear that it will monitor complaint trends across sectors. Repeat or unresolved complaints could attract attention and follow-up engagement from the regulator.

If you do not have a reliable process in place, the risks include:

  • Reputational damage if complaints are mishandled or ignored
  • Evidence gaps that make it difficult to show compliance
  • Closer scrutiny if your business appears in repeated complaint reports

Even complaints that seem minor or unjustified must be logged and responded to. If you choose to ignore them, they will still count towards your complaint history. The ICO will be looking for businesses that can show they act on feedback, not those that hope issues go away.

If you already manage complaints effectively, you are in a good position. If not, now is the time to act. Setting up a clear process will protect both your reputation and your compliance record.

What good looks like

A compliant complaint-handling process should feel simple and transparent. It should show that you take customers seriously and can evidence your actions.

The ICO’s guidance suggests focusing on:

  • Visibility: make it easy for people to raise a concern, for example by publishing contact details or a form in your privacy notice.
  • Consistency: respond within set timeframes and keep records of all correspondence.
  • Evidence: log complaints in a way that allows you to track progress, outcomes and lessons learned.
  • Governance: review complaint trends regularly to identify recurring issues or training needs.

If you already have a process in place, check that it meets these standards and that your team understands it. If you do not, start simple. A shared inbox and a basic log are often enough for smaller businesses, as long as they are used consistently.

The bigger picture

The new complaint-handling duty is part of a wider move towards greater accountability and user empowerment. Alongside this, the ICO has been setting out its approach to user consent, transparency and digital choice – including its views on Meta’s “consent or pay” advertising model.

Both developments point in the same direction. The UK is not deregulating data protection; it is making it more practical. The focus is on evidence and accountability – being able to show not just that you comply, but that you care about how personal data is handled.

What to do next

If you are unsure where to start, focus on these steps:

  1. Create or review your complaint process.
    Have a clear route for people to raise issues, assign responsibility and set timeframes for acknowledgement and response.
  2. Keep records.
    Track all complaints, even if you think they lack merit. Record what was done, what you found and how you closed the issue.
  3. Update your privacy notice.
    Tell people how they can raise a complaint and what they can expect from you in return.
  4. Train your team.
    Make sure everyone who handles customer or employee data knows how to recognise and escalate a data protection complaint.
  5. Review contracts.
    Ensure any partners or suppliers who handle personal data know their role in your complaint-handling process.
  6. Monitor and improve.
    Look for recurring issues or delays. Fixing small process gaps now will reduce the risk of ICO involvement later.

How Athlex can help

At Athlex, we make compliance clear. We help businesses build practical, proportionate frameworks that work in the real world.

Our services include:

  • Designing or reviewing complaint-handling frameworks
  • Providing outsourced Data Protection Officer (DPO) support
  • Reviewing contracts and supplier arrangements
  • Updating privacy notices and policies
  • Delivering tailored training and audits for your team

If you would like help reviewing your approach to complaints, start with a free GDPR Health Check. We will show you where you stand, what is working well and what to fix first.

Book your free data protection health check.

In summary

The Data (Use & Access) Act 2025 is not a complete rewrite of data protection law, but it will change how accountability is judged.

Businesses with clear, consistent complaint-handling processes will adapt easily. Those without one will need to move quickly. Ignoring complaints – even the unfounded ones – will no longer be an option.

Taking action now will save time later and show your customers that you value their trust.