UK website privacy notice requirements after DUAA (2026)

Every commercial website that processes personal data needs a privacy notice. The UK GDPR (the retained EU GDPR as amended by the Data Protection Act 2018) sets out what must be included. The Data Use and Access Act 2025 (DUAA), which received Royal Assent on 23 October 2025 with provisions commencing from 5 February 2026, introduces changes that affect privacy notices. The ICO (soon to be renamed the Information Commission) oversees compliance.

The 14 mandatory elements under Article 13 UK GDPR

The UK GDPR mirrors the EU GDPR's transparency requirements. Article 13 lists 14 information requirements.

1. Identity and contact details of the controller (Art. 13(1)(a)). Your business name, registered address and contact details. For a limited company, include your Companies House number and registered office address.

2. Contact details of the data protection officer (Art. 13(1)(b)). Only if you have appointed a DPO. Most UK SMEs are not required to do so.

3. The purposes of processing (Art. 13(1)(c)). Be specific about each processing activity. Generic descriptions do not meet the transparency standard.

4. The legal basis for each processing activity (Art. 13(1)(c)). Link each activity to a lawful basis: consent, contract, legal obligation or legitimate interest.

5. The specific legitimate interest (Art. 13(1)(d)). Following the CJEU Mousse ruling (Case C-394/23, which has persuasive authority in UK courts though not binding post-Brexit), you should name the specific interest. The DUAA introduces recognised legitimate interests in Annex 1 to the UK GDPR. For these listed interests (which include certain direct marketing, intra-group transfers for administrative purposes and network security), the balancing test against the individual's interests is not required. If you rely on a recognised legitimate interest, state which one.

6. Recipients or categories of recipients (Art. 13(1)(e)). Hosting provider, payment processor, analytics service, email platform, accounting software.

7. Transfer to a third country (Art. 13(1)(f)). The UK maintains its own adequacy decisions. If you transfer data to a country without UK adequacy, state the safeguard (UK standard contractual clauses, BCR or other mechanism).

8. Retention periods per data category (Art. 13(2)(a)). Concrete periods. Invoice data: 6 years (Limitation Act 1980). Contact form messages: 12 months. Analytics data: 26 months. Newsletter subscribers: until unsubscription plus 30 days.

9. The rights of data subjects (Art. 13(2)(b)). Access, rectification, erasure, restriction, portability and objection. State the process and one-month response deadline.

10. The right to withdraw consent (Art. 13(2)(c)). Link to your cookie settings and newsletter unsubscribe option.

11. The right to lodge a complaint with the supervisory authority (Art. 13(2)(d)). Refer to the ICO: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, or online at ico.org.uk.

12. Whether providing data is obligatory (Art. 13(2)(e)). Clarify which data fields are optional and which are required for your service.

13. Automated decision-making including profiling (Art. 13(2)(f)). The DUAA changes the framework for automated decision-making. The new provisions (replacing Article 22 UK GDPR) require safeguards for "solely automated" decisions with significant effects, including the right to human review. If you use automated decisions, update this section.

14. The source of personal data if not collected from the data subject (Art. 14(2)(f)). Only relevant if you receive data from third parties.

DUAA changes affecting privacy notices

The Data Use and Access Act 2025 introduces several provisions that directly affect privacy notices from 2026 onwards.

Complaint-to-controller mechanism (from 19 June 2026). The DUAA introduces a new obligation for controllers to provide a mechanism for individuals to complain directly to the controller before going to the ICO. Your privacy notice must describe this complaint process, including how to submit a complaint and the timeframe for a response. This is a new UK-specific requirement.

Recognised legitimate interests (Annex 1 UK GDPR). The DUAA adds a new category of legitimate interests that do not require the traditional balancing test. These include processing for the purposes of direct marketing to existing customers, transfers within a group for internal administrative purposes and processing necessary for network and information security. If you rely on one of these, state it in your privacy notice. The balancing test exemption does not remove the transparency obligation.

The ICO becomes the Information Commission. The rebranding is part of the DUAA governance reforms. Update your privacy notice to use the correct name once the transition is formally completed.

Enforcement in the UK

The ICO's enforcement for privacy notice deficiencies is generally guidance-led for SMEs. Large fines under the UK GDPR (up to GBP 17.5 million or 4% of global turnover) have been directed at major organisations. For SMEs, the ICO typically issues guidance letters and compliance recommendations.

The more significant risk for UK businesses is civil. If your privacy notice is incomplete and you rely on legitimate interest, that basis can be challenged in court proceedings. An incomplete notice weakens your position in any data-related dispute, whether brought by a customer, a competitor or an employee.

The DUAA strengthens the ICO's ability to issue reprimands and compliance notices. With the new complaint-to-controller mechanism, expect the ICO to refer complaints back to controllers first, which means having a functional complaint process in your privacy notice becomes operationally important.

How TrustYourWebsite checks for this

Our scanner detects three technical signals: the presence of a privacy notice link in the footer, its accessibility on every page and the presence of minimum required elements in the text (lawful basis, retention periods, data subject rights, complaint route).

Scanner findings are technical signals, not legal verdicts. They point to transparency gaps, not legal violations.

Checklist: the 14 mandatory elements

A privacy notice is enforcement surface

The DUAA has added a new layer to UK privacy notices: the complaint-to-controller mechanism. Combined with the Mousse ruling's influence on legitimate interest disclosure, a privacy notice is no longer a static document. It is the operational interface between your business and individuals exercising their rights. Get the 14 elements right, add the new complaint process, and reference any recognised legitimate interests you rely on. The elements above take an afternoon. That afternoon protects your legal position in every customer interaction.

---

This article is technical analysis, not legal advice. Consult a solicitor for advice on your specific situation.