With the Data (Use and Access) Act 2025 (DUAA) receiving Royal Assent, some aspects of data protection law have been changed. These include how personal information is used for research purposes, rules on how to set cookies without consent, and requirements for organisations to have a data protection complaint procedure among others.

In addition the DUAA grants new powers to the Information Commissioner's Office (ICO), which can now compel witnesses for interview attendance, ask for technical reports and issue fines up to £17.5m or 4% of global turnover.

The ICO released a consultation on draft guidance on consumer Internet of Things products and services, alongside a draft impact assessment. The consultation gathered views on the proposed regulatory approach between June and September and will inform the ICO on the final guidance.

The European Commission's Draft Renewal of EU adequacy decision for the UK under the GDPR, published 22 July 2025, has reaffirmed that organisations based in the EU have a valid mechanism for transferring EU personal data to the UK. It is a welcome development for UK businesses that operate in the EU and for all organisations relying on cross-border data flows.

The Court of Appeal decision in Farley (formerly CR) v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 has provided some support for claimants looking to claim for distress following a data breach. Previous cases had indicated that a "threshold of seriousness" needed to be reached in order for a claim to be successful. The decision in Farley rejects this indicating that a "well-founded" fear of future harm will be sufficient to allow recovery.