That approach is becoming increasingly risky.
As 19 June 2026 approaches, businesses face what could be described as a “double peril date” in the compliance calendar. Not only are organisations expected to ensure they have adapted to changes introduced by the Data (Use and Access) Act 2025, but many businesses selling goods or services into European markets are also facing increased scrutiny around online cancellation rights and customer opt-out mechanisms.
For website owners, ecommerce retailers and subscription-based businesses, now is the time to review privacy policies, customer journeys and compliance procedures before regulators come knocking.
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and introduced significant amendments to existing UK data protection legislation, including the UK GDPR, the Data Protection Act 2018 and PECR regulations.
While the Act does not replace existing privacy laws, it updates and modernises them to reflect the realities of today’s digital economy.
Businesses that collect personal data online are expected to provide greater transparency about:
The days of vague privacy statements and generic compliance wording are rapidly disappearing.
At the same time, businesses selling into European markets should be paying close attention to evolving consumer protection requirements.
Regulators across Europe have increasingly focused on making it easier for consumers to cancel subscriptions, withdraw from ongoing contracts and exercise their rights online. Businesses operating ecommerce stores, membership sites, SaaS platforms and subscription services may need to review whether their cancellation processes are as easy to use as their sign-up processes.
For some organisations, this may involve introducing clear online cancellation mechanisms or reviewing customer account areas to ensure consumers can exercise their rights without unnecessary barriers.
Businesses that have spent years optimising conversion rates may now find regulators paying equal attention to how easily customers can leave.
Both UK and European regulators have signalled a tougher enforcement approach towards organisations that fail to provide adequate transparency.
Particular areas of focus include:
Regulators increasingly expect businesses not only to comply with the rules but to demonstrate that compliance through clear documentation and user-friendly policies.
A modern privacy policy should be written in plain English and explain exactly how personal information is handled.
Key areas to review include:
Clearly identify the information your organisation collects, including:
Explain the legal basis relied upon when collecting and processing personal data.
Identify external services that receive customer information, such as:
If under-18s can access your services, explain:
If AI tools are used to process, analyse or profile customer data, explain this clearly and transparently.
Customers should be able to easily understand how they can:
Under EU Directive 2023/2673, any business selling goods, services, or digital content online to consumers in the EU must feature an easily accessible “withdrawal” (or cancellation) function on their website. Any business selling goods, services, digital content, or financial services to consumers located in the EU. This includes non-EU companies (such as UK e-commerce brands) that actively market to European buyers.
The official date deadline for the mandatory EU withdrawal button is June 19, 2026.
Privacy and consumer rights are no longer simply a legal obligation.
Customers increasingly want to know what happens to their personal information and how organisations use it. An outdated privacy policy can undermine trust just as quickly as poor customer service. Customers are also demanding easier ways of opting out of a sales process, so whilst these changes are legislative, it makes sense to respond to your customers as better practice.
Businesses that communicate openly about data practices are often better positioned to build long-term customer confidence and strengthen their brand reputation.
Whether you operate an ecommerce store, a subscription platform, a membership website or a business website that collects customer information, now is the time to review your privacy policy, consent mechanisms, cancellation processes and customer communications.
If you’d like to talk to us about this news piece, or you need help with tracking, analytics, website management, Meta Ads or any other aspect of digital marketing, then email us on info@destination-digital.co.uk or give us a call on 01629 810199 for a chat.
If you’d like help with digital marketing, ads management, SEO, copywriting, websites, branding or social media management… or anything else related to the internet and digital, then get in touch with us. We’re a friendly bunch.
You can email us on info@destination-digital.co.uk or give us a call on 01629 810199 or you can use the contact form at the bottom of this page.