top of page
Search

The Data (Use and Access) Bill Becomes UK Law: What That Means for GDPR and GA4.

  • Writer: Marc Alexander
    Marc Alexander
  • Jun 29
  • 2 min read

Updated: Jul 16

Data (Use and Access Act)

The Data (Use and Access) Act 2025 has just been passed in the UK, bringing with it some important changes for how businesses collect and use data — especially when it comes to websites, tracking, and analytics tools like Google Analytics 4 (GA4).



What’s in the new Law?


The new law updates how organisations can use data from products like GA4 under the UK GDPR and PECR (Privacy and Electronic Communications Regulations). While the headline changes focus on data sharing, smart data schemes, and digital identity, there are also key updates for cookie usage and data transparency, which directly impact how we run analytics.



 Impact on GDPR and GA4


1. Relaxed Cookie Rules (Slightly)


The Act introduces new exemptions for low-risk cookies, which may reduce the need for consent popups in some cases — for example:

  • Cookies used purely for analytics (non-intrusive and anonymised) may qualify for exemptions.

  • This could simplify setups for GA4, especially if tracking is configured to avoid personal data collection (e.g., IP anonymisation, no cross-site tracking).


💡 However: this doesn’t mean “no more cookie banners” — most GA4 setups will still require consent unless configured carefully.


2. Stronger ICO Powers

The UK data regulator (The IC) will have greater enforcement powers under this new law — especially around cookie compliance and electronic communications.


So:

  • If your analytics setup doesn’t comply with cookie and consent rules, expect more risk of enforcement.

  • It's a good time to audit your cookie banner and tracking scripts.


3. Legitimate Interest May Be Easier to Use


The Act clarifies “legitimate interests” as a valid reason for data processing — which could, in some cases, help justify web analytics tracking without full consent, especially for internal performance and security purposes.


But: using this legal basis still requires a proper assessment and transparency with users.



What Should You Do Now?


  • Audit your GA4 setup: Is IP anonymisation on? Are you collecting personal data?

  • Review your privacy banner: Is it clear, compliant, and linked to your updated privacy policy?

  • Reassess legal basis: Decide if you're using consent or legitimate interest — and document why.

  • Stay tuned: The IC is expected to issue updated guidance soon.



Final Thought


This new UK law signals a shift toward more practical, innovation-friendly data rules — but it doesn’t mean we can ignore privacy. Web analytics teams still need to tread carefully, configure GA4 properly, and keep consent at the centre of their data strategy.

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page