Email marketing doesn't exist in a vacuum. It operates within a strict and ever-evolving legal framework. The latest edition to the email compliance framework is The Data Use and Access Act 2025 (DUAA), which received Royal Assent on 19 June 2025.

While the DUAA does not replace the UK GDPR, the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulation (PECR), it does modify and update key parts of each – particularly in ways that matter to email marketing experts and data controllers. That was a lot of acronyms, right?

What Is The DUAA 2025?

The DUAA is designed to streamline how UK businesses handle personal data, with the government stating that the changes aim to support both innovation and data protection. For those managing email marketing lists, this means new rules to comply with, and potentially new opportunities under defined lawful bases.

To remain compliant, it's essential to understand the DUAA's specific implications for email marketing.

Key Changes Relevant to Email Marketing

Here is a summary of all the most relevant DUAA provisions that impact email marketing operations. 

1. Clarified Rules for Using Personal Data in Research

Marketers using data insights to inform campaign strategies may benefit from clear guidance on lawful research use, especially when testing email performance or analysing user engagement.

2. Eased Restrictions on Automated Decision-Making

DUAA lifts some restrictions on automated profiling and decision-making. For email marketing platforms using automation to segment audiences or personalise campaigns, this could simplify compliance – provided safeguards are I place.

3. Updated Cookie Consent Requirements

The Data Use and Access Act 2025 proposes more flexibility in cookie usage, which may affect tracking technologies and behavioural targeting in email campaigns. However, the full scope of this provision depends on further ICO guidance.

4. Direct Marketing Exemptions for Charities

Charities may now send certain electronic marketing communications (old talk for emails) without prior consent, provided conditions are met. This is a significant change for non-profits relying on email for fundraising and awareness campaigns.

5. Mandatory Data Protection Complaints Procedures

All organisations must now implement a clear data protection complaints process. For email marketers, this includes outlining how recipients can raise concerns about the use of their data and ensuring fast resolution.

6. New Lawful Basis: Recognised Legitimate Interest

DUAA introduces a new lawful basis for processing – "recognised legitimate interest". Read it a few times and your head may stop spinning. We did – and it did. This may offer a more flexible path for sending emails without consent, though it's essential to evaluate this basis against existing subscriber expectations and rights.

What This Means for Email Marketing Compliance?

The DUAA reinforces the importance of robust data governance in email marketing.

• Review consent mechanisms and privacy notices.
• Audit your email database to ensure lawful data collection and usage.
• Update your documentation, including your Data Protection Impact Assessments (DPIAs).
• Train your team on DUAA-related changes and how they impact email campaigns.
• Establish or revise complaints procedures to meet the Act’s requirements.

With potential fines up to £17.5 million or 4% of global turnover, ignoring this legislation is not an option. Additionally, the ICO now has expanded powers to complete testimony and request technical documentation from organisations under investigation.

Timeline for Implementation

Most DUAA provisions will come into force between two and six months after Royal Assent (June 2025), meaning organisations have limited time to adjust.

Action Steps for Email Marketers

To stay ahead, email marketing experts should – 

• Bookmark the ICO's official DUAA summary page for updates.
• Subscribe to the ICO newsletter to receive alerts on enforcement guidance and changes.
• Compare DUAA requirements to existing UK GDPR compliance – similar does not mean identical.
• Document your decisions around legitimate interest assessments, cookie policies, and automation logic.

The DUAA is not just another layer of bureaucracy. For email marketers, it's a reshaping of the data compliance landscape. Understanding how the Act interacts with email list management, campaign planning, and consent practices is essential to staying compliant and competitive.

Stay informed, stay compliant – and stay ahead!