The Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent on 19 June 2025 which makes changes to the UK’s data regime, amending the Data Protection Act 2018 (“DPA”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). In respect of PECR, a key change making the headlines is the significant increase of fines.
Before the changes bought by DUAA, the Information Commissioner’s Office were able to impose fines of up to £500,000 on organisations for breaches of PECR yet, DUAA increases this penalty significantly. Fines given under PECR now align with UK GDPR which can be the higher of £17,500,000 or 4% of an organisation’s total worldwide turnover.
Additionally, rules regarding e-marketing and cookies have been the subject of change under PECR, and thus compliance will be crucial to avoid the increase of fines organisations could face.
Direct marketing – changes to interpretation
The definition of ‘direct marketing’ has been inserted into PECR to match the definition used within the DPA, which states, direct marketing is “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” (section 122 DPA). The inclusion of the ‘direct marketing’ definition into PECR aims to provide consistency amongst data protection legislation.
Further, section 110 of DUAA amends PECR to update key definitions:
- ‘Call’ – to include all marketing calls, and “a reference to making a call includes a reference to attempting to establish such a connection”. A connection therefore does not need to be established.
- ‘Communication’ – will cover all communication, but rather than the previously used terms of “exchanged or conveyed”, the definition will be updated to “any information transmitted”.
- ‘Recipient’ – shall be updated to include an intended recipient.
What does this mean in practice? These changes will affect those in the direct marketing industry because “calls” and “communication” will include those calls and communications transmitted even if they fail to reach the desired recipient. Previously, it was inferred that communication which was “exchanged or conveyed” was required to at least reach an individual. So, even if such communications or calls are not received, anyone participating in direct marketing which causes a nuisance or disturbance to those individuals, may receive a fine.
This will allow charities to send direct marketing texts and emails to those who have raised an interest into their charity but explicit consent has not been given.
Direct marketing – charities
A new soft opt-in rule has been inserted into PECR by DUAA. This will allow charities to send direct marketing texts and emails to those who have raised an interest into their charity but explicit consent has not been given. For a charity to market via electronic communications, the following factors must apply:
- The sole purpose of the direct marketing is to further the charity’s charitable purpose;
- The charity received the recipient’s contact details by the recipient expressing an interest in at least one charitable purpose, or offering to support one of those purposes; and
- The receipt will be able to opt out of the marketing communications.
For more information on the above, see section 114 of DUAA.
Previous legislation meant that charities were only allowed to send marketing material to those who had bought similar products and / or services. Yet, this amendment will allow charities to send marketing communications to people who have only expressed an interest in their work, ultimately broadening the explicit consent exceptions under PECR.
Cookies – further exceptions added
The use of cookies to store user information on a device is prohibited unless one of the exceptions within PECR applies. DUAA expands the current exceptions and relaxes the requirements for consent to be obtained for certain cookie uses. Cookies that will:
- Enhance the service of a website by collecting statistical information;
- Enhance how the service is displayed; and
- Locate the geographical point of a user in response to an emergency
will not require user consent before their use.
The Secretary of State will also be able to alter or create new exceptions (following the necessary consultation with the relevant groups).
For further information, see section 112 of DUAA.
To ensure compliance with any aspect of data protection legislation, get in touch with a member of our data protection team.
