What do the DMCC Act 2024 and Data Use Access Act 2025 mean for UK membership organisations?
(Based on the Digital Markets, Competition and Consumers (DMCC) Act 2024, Data (Use and Access) Act 2025, and New Accessibility Law)
New UK legislation, including the DMCC Act 2024 (effective April 2025/Spring 2026) and the Data (Use & Access) Act 2025 (DUAA), significantly tightens consumer rights and changes data handling rules for UK membership associations including third sector and charity membership bodies. This requires timely action on CRM, communications workflows and website design.
If you would like any help with any of the changes below, speak to the Circle Interactive team.
Subscription and pricing compliance (DMCC Act 2024)
The DMCC Act received royal assent on 24 May 2024. While unfair commercial practice provisions (including drip pricing prohibitions) came into force on 6 April 2025, the specific subscription contract regime, covering cooling-off periods, renewal reminders, and cancellation requirements has been delayed.
The Department for Business and Trade confirmed in November 2025 that these rules will not take effect before Autumn 2026 at the earliest, pending secondary legislation.
Organisations should use the lead time to prepare their CRM and website processes now.
Renewal communications
Reminder notice: Must be sent to alert members that a renewal payment is approaching and explain how to cancel before becoming liable. For annual auto-renewing memberships, two reminder notices are required per renewal cycle: one sent at a reasonable interval before renewal, and one at the six-month mark before the following renewal. These are distinct from the cooling-off notice.
Cooling-off notice: A separate document that must be issued on the first day of the 14-day renewal cooling-off period (i.e. the day the member becomes liable for renewal). It must be given entirely separately from any other information, no promotional material may accompany it.
Cancellation process
Simplified Cancellation: Membership cancellations must be straightforward, "as easy to exit as to join.". For online subscription contracts, cancellation must be straightforward and executable online. Requiring members to telephone or email to request cancellation will be non-compliant. Organisations should audit their current cancellation journeys and ensure a self-service online mechanism is in place well before Autumn 2026.
Cooling-off period
Right to Cancel: Consumers allowed a 14 day cooling-off period to cancel or renew a membership. Refund entitlement is not always a full refund. For services not yet supplied, a full refund is due. For services already being delivered at the point of cancellation, the refund is calculated on a pro-rata basis for the unused period.
Subscription traps and pricing
Clear Pre-Contract Info & Ban on Drip Pricing: All mandatory fees must be disclosed upfront. Rules require clear information on fees, terms, and cancellation rights before contract.
The prohibition on drip pricing, where an initial headline price is shown and additional charges revealed later, came into force on 6 April 2025. This is already law and requires immediate compliance. Review all membership sign-up journeys to ensure total pricing is clearly disclosed at the first point of commitment.
Enforcement note: The CMA now has direct fining powers under the DMCC Act. Non-compliance with consumer law can result in fines of up to 10% of annual global turnover, including for charitable and third sector membership bodies.
Need help auditing your CRM, website, or membership systems for compliance? Circle Interactive works with third sector organisations across the UK to build compliant, member-friendly digital platforms.
Data protection and privacy compliance (Data Use and Access Act 2025)
The Data (Use & Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. It amends the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). The main data protection provisions came into force on 5 February 2026. The ICO has published updated guidance and is treating cookie compliance as a renewed enforcement priority.
Data protection complaints
Mandatory complaints process: Organisations must now facilitate direct data protection complaints from individuals before they can escalate to the ICO.
Provide a formal data protection complaints process (e.g., electronic form or paper), with acknowledgement within 30 days. We recommend building a dedicated online complaints form that feeds into a tracked CRM queue, while also ensuring a non-digital route (e.g. email address or postal address) is available.
Direct Marketing
Recognised legitimate interests and charity soft opt-in (in force 5 February 2026) data handling changes: Updates GDPR, allowing for more flexible, "legitimate interest" based direct marketing. "Always have an opt-out".
If you're a charity, the DUAA allows you to send electronic marketing to people whose data you collect when they express interest in your work, unless they object.
PECR still applies: For electronic direct marketing (emails, texts), the Privacy and Electronic Communications Regulations continue to govern consent requirements.
Cookies
Reduced consent requirements for low-risk cookies (in force 5 February 2026): Can be used without consent in low-risk cases, if an opt-out is provided.
Include a clear Opt-Out mechanism for analytics cookies.
- First-party analytics cookies used solely for statistical purposes.
- Functional cookies used to enhance user experience (e.g. remembering language or display preferences);
- Cookies used for security or fraud prevention (now treated as strictly necessary).
An opt-out mechanism is still required for analytics cookies. Advertising, profiling, fingerprinting, cross-site tracking, and marketing pixels continue to require opt-in consent.
The ICO has signalled that cookie compliance will be an active enforcement focus, particularly where meaningful opt-outs are absent. Fines for cookie violations now match UK GDPR levels.
This article is provided for general information purposes only and does not constitute legal advice. Circle Interactive recommends that organisations seek independent legal counsel regarding their specific compliance obligations. Information correct as of March 2026; legislation and guidance continue to evolve.
