Signal / Other / 29 April 2026
DUAA stage three lands: legitimate interest is now a recognised lawful basis for direct marketing
Stage three of the Data (Use and Access) Act 2025 commenced through late 2025 and early 2026, formally establishing direct marketing as a 'recognised legitimate interest' under UK GDPR. The change reduces the documentation burden for B2B prospect lists; it does not amend PECR.
What changed: UK GDPR now lists direct marketing as a recognised legitimate interest, meaning a Legitimate Interests Assessment is still required when a programme is launched but does not need re-running per send or per campaign of the same type.
What did not change: PECR (the rules that govern phone, email, SMS, and automated calls in the UK) is unchanged. TPS screening still required. CTPS screening still required where applicable. Email to a sole trader still requires consent. Automated calls still require prior, specific, named consent.
For sales operations teams the practical effect is paperwork relief on the UK GDPR side, not a relaxation of the rules that produce the largest fines. The two are distinct regulatory regimes and PECR continues to be the dominant enforcement vector.
The ICO's full updated direct-marketing guidance is expected in spring 2026; until then the existing ICO PECR pages remain the authoritative reference.
Source: Data (Use and Access) Act 2025: https://www.legislation.gov.uk/ukpga/2025/18; ICO summary: https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-what-does-it-mean-for-organisations/