DUAA enforcement is here. GDPR-level fines, ADM oversight, cookie strategy, and the June 2026 complaints-handling deadline explained.
Topics: UK GDPR, DUAA, Enforcement, ADM, Consent
The UK’s Data (Use and Access) Act 2025 (DUAA) is no longer a theoretical reform. Enforcement is now arriving with real force. As organisations race toward the June 2026 deadlines, the gap between prepared and unprepared teams is widening fast.
From Post-Brexit Reform To Real-World Risk
The DUAA represents the UK’s major post-Brexit overhaul of data protection and digital governance. It works alongside UK GDPR and the Data Protection Act 2018, but it changes how regulators approach digital harms.
Most importantly, it reframes nuisance calls, invasive tracking, and opaque decision-making as serious governance failures, not minor irritations. Consequently, boards and executive teams can no longer treat these areas as low-priority compliance items.
Maximum fines for nuisance calls and tracking violations now reach GDPR levels: up to £17.5 million or 4% of global turnover. This change puts direct marketing and cookie compliance firmly into senior risk registers rather than marketing backlogs.
Automated Decision-Making And "Meaningful" Human Intervention
At the same time, the DUAA tightens expectations around Automated Decision-Making (ADM). Organisations using AI, scoring models, or algorithmic profiling must now evidence "meaningful human intervention" where decisions carry legal or similar effects.
This means human reviewers must understand the decision logic, challenge outcomes, and override systems where necessary. Rubber-stamping AI output is no longer defensible as real oversight.
In practice, teams need clear workflows for escalation, review, and documentation. Audit trails must show who checked what, when, and on which criteria. Without this evidence, regulators are likely to conclude that ADM is effectively unchecked.
Cookie Consent And Tracking: From Friction To Strategy
The DUAA also pushes cookie and tracking compliance into a new phase. Consent must be specific, informed, and freely given, and dark patterns are now an explicit enforcement priority.
Therefore, consent banners must avoid pre-ticked boxes, confusing design, and hidden reject options. They must also reflect the actual tracking stack, including analytics, advertising tags, and embedded third-party tools.
This shift creates operational tension for many organisations. Marketing teams want granular data and optimisation, yet regulators demand restraint and transparency. The organisations that win will treat consent management as part of customer experience, not a legal bolt-on.
New Complaints-Handling Duties From June 19, 2026
Perhaps the most underestimated DUAA change arrives on June 19, 2026. From this date, organisations must follow formal complaints-handling rules for data disputes.
They must acknowledge complaints quickly, investigate them, and resolve issues within 30 days, unless clearly justified otherwise. If organisations fail to do so, the ICO can intervene directly and escalate investigations faster.
This creates a clear need for structured intake, triage, and tracking of privacy complaints. Ad-hoc email chains and disconnected spreadsheets will not withstand scrutiny once disputes become contested.
How Privacy360 Helps You Get Ahead
Privacy360 is built to help organisations move from reactive compliance to structured, scalable governance. Its integrated modules centralise assessments, DSARs, complaints management, and AI governance in one place.
For DUAA readiness, organisations can use Privacy360 to:
- Implement a dedicated complaints-handling framework before the June deadline.
- Route privacy complaints to the right owners and track deadlines automatically.
- Maintain a full audit trail of communications, decisions, and outcomes for ICO review.
In addition, Privacy360’s AI Governance framework supports audits of AI-driven ADM. It helps teams document human intervention points, decision criteria, and escalation rules for high-impact use cases.
For organisations needing deeper strategic support, Formiti offers global privacy consultancy services. The Formiti team helps design complaints-handling processes, ADM governance models, and cookie strategies aligned with the DUAA and UK GDPR. Explore these services at Formiti – Global Data Protection Consultancy.
Are you already handling privacy complaints through a structured workflow, or is it still managed mainly by email?