insights | 13.05.2026

Changes to GDPR in 2026: What you need to know

Article topics
  1. Financial penalties have increased
  2. Cookie consent has been relaxed
  3. ‘Recognised legitimate interests’ have been introduced
  4. Businesses can say no to excessive data subject access requests
  5. Businesses can use AI to make decisions about customers
  6. Business must have a mandatory complaints procedure in place

If you run an eCommerce store and have customers in the UK, it’s essential to understand the basics of the General Data Protection Regulation, or GDPR.

Under GDPR, businesses must process customers’ personal data securely, transparently, and make it easy for them to opt out of marketing messages.

However, did you know that this year, there have been some changes to the way GDPR works?

The Data (Use and Access) Act, or DUAA, came into effect in February 2026, and affects not just GDPR, but the Data Protection Act and the Privacy and Electronic Communications Regulations (PECR).

The new act brings in some new changes that may affect how you handle customer data and respond to complaints.

Join us as we run through the key changes, how they may affect your business, and what you need to do to make sure you stay compliant.

1. Financial penalties have increased

The DUAA has given the Information Commissioner’s Office (ICO), the regulatory body that enforces the UK’s data protection laws, more powers.

Under DUAA, the ICO can require witnesses to attend an interview and request technical reports if it believes there has been a data protection breach.

It also means the ICO can issue bigger fines under PECR. PECR breaches occur when a business sends marketing messages without consent or uses non-essential cookies on its website without consent.

Under PECR, the ICO can issue fines of up to £17.5 million or 4% of global annual turnover. Previously the largest fine the ICO could issue under PECR was £500,000, but this has been increased to bring it in line with GDPR fines.

What this means for your business

This makes it more important than ever to make sure your marketing is watertight.

Make sure you obtain consent for when customers opt-in to email marketing and SMS messages, make it as easy as possible to unsubscribe, and ensure you’re only tracking essential cookies on your website.

2. Cookie consent has been relaxed

Up until now, businesses needed to collect consent for non-essential cookies through pop-ups on their websites. DUAA has relaxed the rules slightly, meaning you may no longer need to ask customers to opt-in to confirm consent for the following purposes:

  • To collect statistical cookies. These cookies collect information about how site visitors use your website, so you can improve the user experience. This data can’t be used for any other purpose, like retargeting ads
  • To remember preferences regarding the display of your site. These cookies remember a site visitor’s preferences, like a specific language, font size, or dark mode setting

It’s still important to tell your customers about these cookies and provide an ‘opt-out’ mechanism if they don’t want you to process their data.

What this means for your business

Take the time to review the cookies you collect through your website and determine whether you still need to ask consent for them.

If you’re not 100% sure, we recommend erring on the side of caution and still asking for consent – it’s better to ask and not need to, than to not ask and run the risk of breaking the rules!

3. ‘Recognised legitimate interests’ have been introduced

Under GDPR, businesses must have a lawful basis to handle personal information. For example, a customer has bought a product and has entered into a contract with a business, and the business needs this personal information to fulfil this contract.

One of these bases is ‘legitimate interest’. This is when businesses can use personal data without consent as long as it doesn’t override individual privacy rights. For example, sending an email to a customer about a product they previously bought.

To use legitimate interest, businesses must carry out a balancing test, which considers the individual’s interests. This provides evidence that legitimate interest is valid in case the ICO receives a complaint.

DUAA has introduced ‘recognised legitimate interests’. These no longer require a balancing test to be carried out, although businesses still need to confirm that there is a legitimate interest and that processing is necessary.

eCommerce businesses can use recognised legitimate interests if they need to use data to:

  • Investigate or prevent crime
  • Protect vulnerable people from harm
  • Enable a public body to do its job

What this means for your business

If you run an eCommerce store, the ability to use recognised legitimate interests to prevent issues like fraud could be useful and save valuable time.

However in most cases, a full legitimate interests assessment is still a must.

4. Businesses can say no to excessive data subject access requests

Under GDPR, people can obtain a copy of their personal data from businesses and public bodies. This is known as a subject access request, or SAR.

As an eCommerce business, people can ask you if you hold or store their personal information, and request that you send it over. This may mean you need to send over information like transaction history, communication logs, and account details.

DUAA makes it clear that businesses only have to make “reasonable and proportionate” searches. If a request will take too long to carry out, or you believe it is vexatious, you can charge for your time or refuse to act on it.

The new guidelines also introduce a “stop the clock” rule, which allows businesses to pause the month-long response time if they need more information from the person making the request.

What this means for your business

You still have to carry out SARs if someone asks for the information you have on them. But if a request will be too resource-intensive, you have the right to say no.

We recommend having a robust procedure in place for SARs, so you know what data to search for and what constitutes an unreasonable request.

5. Businesses can use AI to make decisions about customers

We’re now all using AI more and more to handle basic tasks and make decisions. If you run an eCommerce store, you may use AI to determine if customers are eligible for a trade account or to identify fraudulent transactions.

In the past, GDPR said that people should “have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning (them).”

DUAA takes a more moderate approach. It advises that businesses can use AI and automated systems to make decisions about customers in the majority of cases.

However, businesses must have safeguards in place, including explaining how their systems work and giving customers the ability to contest decisions.

What this means for your business

If you use AI tools and systems to make decisions, it’s important to audit them thoroughly.

As well as providing details about how the systems work and offering customers a way to appeal the decisions the systems make, it’s vital to ensure there’s an option for customers to request human intervention if they want it.

6. Business must have a mandatory complaints procedure in place

From 19 June 2026, all businesses must have a complaints procedure in place for handling data protection issues.

This means you must:

  • Provide an easy way for people to make complaints
  • Acknowledge receipt of complaints within 30 days
  • Take action to resolve any issues
  • Tell people the outcome of their complaint

What this means for your business

It may be that you already have a complaints procedure in place for your eCommerce store, and it’s just a case of adapting this to make sure data protection is a part of this procedure.

The ICO has a thorough guide to setting up a procedure, including what to do if you receive a complaint.

Xigen: The eCommerce agency that keeps you up to date

It’s always frustrating to read that the laws surrounding how your business works have changed. However, in our opinion, DUAA makes things much more simple, and brings UK businesses in line with how data is handled in the EU.

It’s important to note that GDPR, the Data Protection Act, and PECR are still in play – it’s just that DUAA has brought them up to date. So don’t forget to protect your customers’ personal data and ask them for consent. Want to stay up to date with what’s happening in the world of eCommerce marketing? Check out our blog for all the latest insights and news, updated weekly.

Note: This article does not constitute legal advice. If you have any additional questions about DUAA or GDPR, we recommend getting in touch with a solicitor who specialises in data protection.

Tags:
go back Back