
Why UK Businesses Need to Review Their Privacy Policies Before The 19th June 2026 Deadline
The 19 June deadline should act as a wake-up call for businesses that have delayed reviewing their privacy practices. For many UK businesses, privacy policies have become an afterthought - something written once, buried in a website footer, and rarely revisited. But there are changes a-foot!
The Data (Use and Access) Act 2025 ("DUAA", "the Act") received Royal Assent on 19 June 2025. It did not entirely replace existing data protection legislation. Instead, it amends and updates the UK General Data Protection Regulation (UK GDPR),the Data Protection Act 2018 (DPA),and the Privacy and Electronic Communications Regulations (PECR). Most importantly, now that this Act became legally enforceable almost one year ago, the deadline is looming and you have only days left to act.
Why 19 June Matters
The UK’s privacy and online safety landscape is changing quickly. Regulators including the Information Commissioner’s Office (ICO) and Ofcom are taking a tougher stance on how organisations collect, process, and explain the use of personal data.
This is particularly important for businesses operating:
websites and apps
e-commerce stores
social media platforms
subscription services
online communities
platforms accessible to children or teenagers
Businesses need to be much clearer about what data they are collecting, why they are collecting it and how long they will be keeping it for. Being upfront about whether data is being collected for profiling and advertising purposes – and given the explosion of AI tools in the past year or so, whether the data is being used for AI purposes also needs laying out in plain English on your website.
If you sell alcohol or other age-restricted products, you will need to be much clearer about how your age verification processes work too.
To check how these updates impact your specific operations, you can review the official Data (Use and Access) Act 2025 Guidance provided by the government, or consult the Information Commissioner's Office for full regulatory breakdowns.
Regulators Are Increasing Enforcement
Recent enforcement action in the UK shows regulators are no longer accepting vague or outdated privacy notices. In 2026, “we take privacy seriously” is no longer enough. Businesses must be able to prove it.
The ICO has already signalled stronger expectations around age assurance, children's privacy and transparency. Companies that fail to properly explain how user data is collected or processed may face investigations, fines or reputational damage.
Even businesses that are not directly targeted by enforcement activity are feeling pressure from clients, partners, and customers to demonstrate stronger privacy practices.
What Your Privacy Policy Should Include
A modern privacy policy should be written in plain English and easy for users to understand.
At a minimum, businesses should review:
Data Collection
Explain exactly what information is collected, including:
names and contact details
payment information
IP addresses
device and browser data
cookies and tracking technologies
Legal Basis for Processing
Clearly explain why data is being processed and under what lawful basis.
Third-Party Sharing
List any external providers or platforms that receive customer data, including analytics, advertising, payment, and CRM tools.
Children’s Data
If your service may be accessed by under-18s, explain:
how age checks work
what safeguards are in place
what data is collected during age verification
AI and Automated Decision-Making
If AI tools, profiling, or automated systems are used, businesses should disclose this clearly.
User Rights
Users should understand how they can:
access their data
request deletion
withdraw consent
make complaints
Privacy is now a brand issue
Modern consumers are now more privacy-aware than ever. Having a confusing or outdated privacy policy on your website can damage trust. Businesses that communicate transparently about data use are much more likely to build long-term customer confidence and trust.
Privacy compliance is no longer just for legal departments, it’s part of customer experience, brand reputation, and digital trust.
Act now
The 19 June deadline should be a wakeup call for businesses that have delayed reviewing their privacy practices.
Updating your privacy policy is one of the simplest ways to reduce regulatory risk and demonstrate accountability to customers.
Acting now will put you in a much stronger position as UK privacy and online safety rules continue to evolve throughout 2026 and beyond.

