天美影院

A summary of the most significant changes made to the Privacy and Electronic Communications Regulations 2003 (PEC Regulations) under the Data (Use and Access) Act 2025 (鈥�DUAA鈥�, 鈥渢he Act鈥�).聽

For content on modernisation of the ICO鈥檚 enforcement powers, please see Data (Use and Access) Act factsheet: ICO

The Act will come into force in stages. Details of the regulations and exact dates that each measure will come into force will be available on 天美影院.

This information is only for reference and not regulatory guidance or legal advice. The Information Commissioner鈥檚 Office (鈥�ICO鈥�) is responsible for publishing regulatory guidance on its website - .

Provision(s) in the DUAA
Section 110(2)(a) and (b), and 110(3)

Title
Interpretation of the PEC Regulations 鈥� interpretation of 鈥渃all鈥� and 鈥渃ommunication鈥�.

Description of measure
The DUAA makes it clear the definition of 鈥渃all鈥� and 鈥渃ommunication鈥�, includes all calls made and all communications transmitted, irrespective of whether they reach their intended recipient.

This is relevant for the PEC Regulations direct marketing rules. It means that an infringement of these rules can occur even if the call or communication did not reach the intended recipient.

How is this different from previous legislation?
The current definition only referred to communications that were 鈥渆xchanged or conveyed鈥�, which implied they needed to reach their intended recipient. These provisions will mean that anyone sending or generating nuisance direct marketing communications (including calls), which could cause harm or disturbance to individuals, can be fined, even if the communications do not connect.

Which provision(s) in the PEC Regulations are changing?
Sections 110(2)(a) and (b), and 110(3) 聽of the DUAA amend regulation 2.

---

Provision(s) in the DUAA
Section 111

Title
Duty to notify the Commissioner of personal data breach: time periods

Description of measure
The DUAA updates the PEC Regulations and Regulation 611/2013 to require providers of public telecommunication services to report personal data breaches to the ICO without undue delay, and where feasible, no later than 72 hours of becoming aware of the breach.

How is this different from previous legislation?
The current legislation requires all data breaches to be reported with 24 hours. The change brings personal data breach reporting requirements under the PEC Regulations and Regulation 611/2013 into line with timelines for reporting personal data breaches under Article 34 of the UK GDPR.

Which provision(s) in the PEC Regulations are changing?
Section 111 of the DUAA amends regulations 5A and 5C. It also amends Article 2 of Regulation 611/2013.

---

Provision(s) in the DUAA
Section 112; Schedule 12

Title
Storing information in the terminal equipment of a user

Description of measure
The DUAA updates regulation 6, which governs the storage and access of information on a user鈥檚 terminal equipment (e.g. computers, mobile phones) using technologies such as cookies.

The revised regulation 6 maintains the prohibition on storing or accessing information on a user鈥檚 device, unless one of the exceptions in new schedule A1 to the PEC Regulations applies.

Existing exceptions (e.g. where a user has the given their consent; or the storage or access is strictly necessary to deliver a requested service) are retained, with new ones added.

How is this different from previous legislation?
New exceptions include using cookies or similar technologies to collect statistical information about how an organisation鈥檚 online services are used with the aim of improving the service.

Additionally, the DUAA grants the Secretary of State the power to amend or introduce new exceptions through secondary regulations following consultation with the ICO and other interest groups.

Which provision(s) in the PEC Regulations are changing?
Section 112 of the DUAA amends regulation 6 and inserts regulation 6A.

Schedule 12 inserts new schedule A1.

---

Provision(s) in the DUAA
Section 114

Title
Use of electronic mail for direct marketing by charities

Description of measure
Provisions in the DUAA allow UK charities to send marketing emails and texts to people who have shown interest in their work without needing explicit consent. This is known as the 鈥渟oft opt-in鈥� rule.

It鈥檚 similar to rules that let organisations send marketing messages to customers who have purchased something from them, providing the messages relate to similar goods and services.

People can opt out of receiving these messages when their details are first collected or at any time later.

How is this different from previous legislation?
Charities can already rely on the current legislation to send electronic marketing to people who have bought something from them about similar products or services. However, they will now also be able to send marketing material for fundraising or to promote their charitable work to people who have previously expressed an interest in their charitable purposes.

Which provision(s) in the PEC Regulations are changing?
Section 114 of the DUAA inserts new paragraphs (3A) and (5) into regulation 22.

---

Provision(s) in the DUAA
Section 116

Title
Codes of conduct

Description of measure
The DUAA permits sectoral oversight bodies (such as trade associations) to produce codes of conduct for their members on compliance with the PEC Regulations and submit them for approval to the ICO.

Codes of conduct can be used to address key compliance challenges in a sector. They are written by an organisation or association representing a sector in a way that the sector understands.

Adherence to a code by a member organisation may be used as a means of demonstrating compliance with the PEC Regulations.

How is this different from previous legislation?
Sectoral oversight bodies can already produce codes of conduct to help their members comply with the UK GDPR, but these provisions introduce similar provisions for the PEC Regulations.

Some organisations undertake processing activities that fall within the scope of the PEC Regulations and the UK GDPR. They will benefit from being able to prepare a code of conduct that addresses challenges across both pieces of legislation.

Which provision(s) in the PEC Regulations are changing?
Section 116 of the DUAA inserts new regulations 32A, 32B and 32C.