UK DUAA: Complaints Duty 19 June, Cookie Fines Hit £17.5M | RECATOOLS

Focused view of a modern data server rack with blinking lights in a blue-lit environment. Photo by panumas nikhomkhai on Pexels

PRIVACY & DATA · 16 Jun 2026 —

The United Kingdom's Data (Use and Access) Act 2025 (DUAA) reaches another implementation milestone on 19 June 2026, when organisations acting as data controllers must have a formal procedure for handling data-protection complaints. The requirement is one of the last major data-protection provisions of the Act to commence, after most remaining provisions came into force on 5 February 2026. It lands alongside a change that has had less attention but carries far higher penalties: the same Act has already raised the maximum fine for cookie and electronic-marketing breaches under PECR from £500,000 to UK GDPR levels — up to £17.5 million or 4% of global annual turnover.

The new duty: a complaints process every organisation must run

The DUAA received Royal Assent on 19 June 2025 and has commenced in phases. According to the Information Commissioner's Office, most of the Act's remaining data-protection provisions came into force on 5 February 2026, with the complaints-procedure requirement held back to 19 June 2026 and some ICO governance provisions to follow later. From that date, an organisation acting as a data controller must give people a clear, accessible way to complain about how it handles their personal data.

In practice, based on the Act's requirements as summarised by the ICO and by legal analyses of the text, that means providing an accessible submission route such as an electronic complaints form, acknowledging a complaint within 30 days, handling it and communicating the outcome in plain language, and telling the person they can escalate to the ICO if they remain dissatisfied. A connected change shifts the order of escalation: individuals will generally be expected to raise the matter with the controller first before escalating to the ICO. For most organisations this is an operational task rather than a complex legal exercise — a written complaints-handling policy, a named owner, defined timelines, and staff who know what to do when a complaint arrives — but it is a task with a hard deadline.

The bigger financial change: PECR fines align with UK GDPR

The provision that changes risk calculations most is not the complaints duty but the realignment of penalties under the Privacy and Electronic Communications Regulations (PECR), which govern cookies, electronic marketing, nuisance calls and spam messages. Historically the maximum PECR fine was £500,000. The DUAA lifts that ceiling to UK GDPR levels — up to £17.5 million or 4% of global turnover — a roughly thirty-five-fold increase that came into force with the main provisions on 5 February 2026, not in June. For organisations that had quietly treated PECR exposure as a manageable cost of doing business, that calculation no longer holds. The ICO has said it applies the law as it stood when an infringement took place, rather than when a complaint is received or the issue is identified, so timing matters for older PECR issues.

The ICO has also gained new investigatory powers under the Act, including the ability to compel witnesses to attend interviews and to require technical reports. Legal analyses note that the higher PECR ceiling lands at a time when the ICO has been scrutinising cookie-consent practices — particularly reject options for non-essential cookies, and reliance on vague "statistical purposes" to justify tracking. The practical message is that cookie banners and marketing-consent flows that were tolerable under the old cap now sit inside a far higher-stakes regime.

What the Act is, and is not

It is worth being precise about the DUAA's character, because it is easy to overstate in either direction. It amends, rather than replaces, the UK GDPR, the Data Protection Act 2018 and PECR; the core framework of UK data protection remains intact. The government has framed the reforms as pro-growth — easing consent requirements for some limited, lower-risk uses of cookies and similar technologies, and easing some processing for research and public-interest tasks — while preserving baseline protections. So this is not a deregulation that lowers the floor, nor a wholesale new regime; it is a targeted set of amendments that simultaneously loosens a few obligations and sharply raises the stakes on others.

The structural caveat sits outside the Act's text. The United Kingdom's data-protection regime is the basis for the European Union's adequacy decision, which allows personal data to flow freely between the EU and the UK. Where the UK diverges from EU standards, it raises a live question — closely watched by businesses on both sides — about whether the EU will continue to regard UK protection as essentially equivalent. If that finding were ever withdrawn, the consequences for cross-border data flows would be significant. The DUAA does not resolve that question; it is part of what makes it live.

What it means beyond the UK

For organisations in Southeast Asia and elsewhere outside the UK, the relevant point is reach, not geography. A non-UK company that offers goods or services to people in the UK, or monitors their behaviour, may be within scope of UK data-protection rules and should check whether the new complaints and PECR changes apply to it. Two concrete checks follow: can the business acknowledge and route a data-protection complaint within the required timeframe, and do its cookie and electronic-marketing practices still make sense now that the PECR penalty ceiling has moved to UK GDPR levels? For firms that route regional data through the UK as a bridge to the EU, the adequacy question is the one to keep watching.

Key Takeaways

From 19 June 2026, every UK data controller must operate a formal data-protection complaints procedure — accessible submission, acknowledgement within 30 days, plain-language outcomes, and a clear route to escalate to the ICO. It is one of the last major data-protection provisions of the Data (Use and Access) Act 2025 to commence.
Individuals are expected to complain to the organisation first before escalating to the ICO.
Separately — and already in force since 5 February 2026 — the Act raised the maximum PECR fine for cookie and electronic-marketing breaches from £500,000 to UK GDPR levels: up to £17.5 million or 4% of global turnover (roughly a 35-fold increase).
The ICO gained new powers (compelling witnesses, requiring technical reports) and has flagged cookie consent — especially meaningful reject options — as a renewed enforcement priority.
The DUAA amends rather than replaces UK GDPR/DPA 2018/PECR. UK obligations can reach firms outside the UK that serve UK customers, and the UK–EU adequacy question remains the structural caveat for cross-border data flows.

Priya Nair's VerdictAdvisory

The headline date is 19 June, but the more consequential change already happened in February. The complaints-procedure duty is real and has a hard deadline, yet for most organisations it is a manageable operational build: a policy, an owner, a form, a 30-day clock. The change that should be on the board's agenda is the thirty-five-fold jump in the maximum PECR fine, which turns cookie-consent and marketing compliance from a low-cost risk into one carrying the same financial exposure as a serious UK GDPR breach — and the ICO has said cookies are where it intends to look. The honest framing of the DUAA overall is that it is neither the sweeping deregulation its boosters sometimes imply nor a tightening across the board; it loosens a few things and raises the stakes on others, against the unresolved backdrop of whether the UK can keep diverging without putting its EU adequacy at risk. For anyone serving UK users from outside the UK, the practical answer is the same as for a UK firm: have the complaints process ready by 19 June, and stop treating PECR as the cheap part of compliance.

Sources & cross-checks

Primary: ICO, "Data (Use and Access) Act 2025" guidance hub — Royal Assent 19 June 2025; UK GDPR, DPA 2018 and PECR remain in force but are amended; the new data-protection complaints-process requirement for organisations — https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/
Corroborated: Mayer Brown — the practical complaints-handling requirements (written policy, accessible submission, 30-day acknowledgement, escalation route) and readiness steps ahead of the 19 June 2026 deadline — https://www.mayerbrown.com/en/insights/publications/2026/02/preparing-for-the-data-use-and-access-act-2025-upcoming-complaints-procedure-requirement
Verified: the two distinct dates (most remaining provisions and the £500,000—£17.5M PECR increase from 5 February 2026; complaints procedure from 19 June 2026) and the 19 June 2025 Royal Assent cross-checked across the ICO statement, DSIT commencement plans and multiple independent legal analyses; the ICO’s "law in force at the time of infringement" approach and the UK—EU adequacy point are presented as stated by the ICO and as a live risk respectively.

Tags: #data-governance #uk-gdpr #duaa #pecr #cookies

Priya Nair

Data, AI Governance & Policy Analyst

Priya Nair covers AI governance, data protection, privacy, and digital trust topics for RECATOOLS.

View author profile → · Editorial policy

About this byline Priya Nair is a RECATOOLS editorial persona for AI governance, privacy, and digital trust coverage. Articles are produced and reviewed under RECATOOLS editorial supervision.

The new duty: a complaints process every organisation must run

The bigger financial change: PECR fines align with UK GDPR

What the Act is, and is not

What it means beyond the UK

Key Takeaways

Related articles

ASEAN's DEFA: The Region's Bet to Harmonise Cross-Border Data Rules Heads Toward a 2026 Signing

The EU Is Racing to Delay Its Own High-Risk AI Rules Before They Take Effect on 2 August