UK Data (Use and Access) Act 2025 promises clarity and revenue boost for retailers

03 October 2025

The UK Data (Use and Access) Act 2025 (DUAA) has been enacted to provide greater clarity for businesses regarding the lawful use of customer data, particularly around the concept of ‘legitimate interest.’

This legislative change is expected to significantly impact marketing strategies and customer engagement within the retail sector, with projections indicating a potential uplift in retailer revenues.

The new legislation will lead to amendments in existing regulations such as the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR), which will be clarified over the coming year. These updates aim to offer retailers and organisations clearer guidance on how they can legally use customer and prospect data for direct marketing activities, reducing previous uncertainties that hampered data-driven campaigns.

Industry analysts from Sagacity estimate that UK retailers could see their revenues increase by at least 2%, translating to approximately GBP £10 billion annually. This projection is based on the potential for increased data utilisation to drive sales. However, they cautioned that businesses must adapt their data management practices — such as maintaining clear audit trails and obtaining proper permissions — to fully capitalise on these opportunities and avoid hefty penalties. Under the new law, penalties for breaches of PECR are expected to align with those of the UK GDPR, reaching up to GBP £17.5 million or 4% of global annual turnover.

The act also emphasises stricter respect for customer preferences, making the creation of clear permission records and honouring opt-out requests more critical than ever. Maintaining accurate, comprehensive data trails will be essential for compliance and for leveraging new data-driven marketing opportunities. Additionally, the DUAA introduces a ‘recognised legitimate interests’ basis for processing personal data, which simplifies compliance by removing the need to balance individual rights against business benefits in certain cases.