New UK data-complaints duty: what Shopify stores must do
From 19 June 2026 the Data (Use and Access) Act 2025 gives shoppers a statutory right to complain about how a business handles their data, directly to that business. If you run a UK Shopify store you are a data controller, so you must accept those complaints, acknowledge them within 30 days and respond without undue delay. Separately, since 5 February the maximum cookie-rules fine rose from £500,000 to £17.5m.
What is the Data (Use and Access) Act complaints duty?
It is a new legal obligation, live from 19 June 2026, requiring every data controller to receive, acknowledge and respond to data protection complaints from individuals. It commences with section 103 and Schedule 10 of the Act under The Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026. A complaint is any allegation that you have failed to comply with UK GDPR. A UK Shopify store handling customer names, addresses and order history is squarely in scope.
What exactly must a Shopify store do from 19 June?
You must offer an accessible way to complain, acknowledge it within 30 days, and investigate without undue delay. The Information Commissioner's Office (ICO) leaves the method to you, so an existing contact form can carry the duty. The table sets out each obligation and a practical action, per ICO guidance and analysis by Squire Patton Boggs.
| Obligation (from 19 Jun 2026) | What it means | Practical action for your store |
|---|---|---|
| Facilitate complaints | Offer at least one accessible route, for example an online form | Add a clear "data protection complaint" route to your contact page |
| Acknowledge within 30 days | Confirm receipt inside 30 days of the complaint | An automated acknowledgement email is sufficient for electronic complaints |
| Respond without undue delay | Investigate proportionately and report the outcome | Log each complaint with a date and owner; keep the complainant updated |
| Signpost the ICO | Tell people they can still complain to the ICO | State the right to escalate in your privacy notice and replies |
The acknowledgement clock starts when the complaint arrives, on or after 19 June 2026. The response itself has no fixed deadline like a subject access request; the ICO asks for action "without an unjustifiable or excessive delay", judged on the complaint's circumstances. The ICO now asks individuals to raise issues with the organisation first, and a complaint usually cannot reach the regulator until your internal process has been used, unless there are exceptional grounds, under its complaints framework. A prompt, documented reply is the most reliable way to settle a grievance before it escalates.
What changed with cookie rules and the £17.5m fine?
Since 5 February 2026 the maximum fine under the Privacy and Electronic Communications Regulations (PECR) rose from £500,000 to £17.5m, or 4% of global annual turnover, matching UK GDPR levels. The Act also added narrow exceptions where you no longer need consent, confirmed by Stevens & Bolton:
- Cookies used solely for statistical or analytics purposes, where the data is used only by you as the site operator.
- Cookies that customise appearance or functionality, such as accessibility or display preferences.
- Cookies that enable emergency assistance, such as location data for emergency services.
These exceptions are tight. Advertising tags that share data with third parties, such as the Meta pixel or Google Ads remarketing, are "still caught by the general PECR prohibition and will still require user consent". For most Shopify stores the practical change is small: your banner must still gate marketing cookies, and the cost of getting it wrong is now far higher. This is also part of being agent-ready, the data discipline behind the agentic commerce for a UK Shopify store shift and the Shopify Spring '26 UCP and Catalog opening.
Ready to make your store agent-ready and compliant?
We help UK Shopify stores tidy their data governance and cookie consent while opening up AI-driven discovery. Talk to True Noise about a data and AI-readiness review.
Frequently asked questions
Is my Shopify store a data controller under the Act?
Yes. If you decide what customer data you collect and why, for example names, delivery addresses and order history, you are a data controller under UK GDPR. The complaints duty applies to controllers from 19 June 2026, so a UK Shopify store keeping customer records is in scope regardless of size.
How quickly must I respond to a data complaint?
You must acknowledge it within 30 days of receipt. The full response has no fixed deadline; the ICO requires action "without an unjustifiable or excessive delay", proportionate to the complaint. Keep the person informed and give them the outcome as soon as your enquiry allows.
Do I still need a cookie consent banner after the changes?
Yes, for any non-essential cookie not covered by the new exceptions. Analytics used only by you, appearance preferences and emergency-assistance cookies no longer need consent. Advertising and tracking cookies that share data with third parties still require consent, so most Shopify stores keep their banner.
What is the maximum fine for getting cookies wrong now?
Since 5 February 2026 the PECR maximum penalty is £17.5m, or 4% of global annual turnover, whichever is higher. That replaces the previous £500,000 cap and aligns cookie enforcement with UK GDPR, which is reason enough to confirm your banner correctly gates marketing cookies.
- The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026
- How to deal with data protection complaints
- UK ICO explains the Data (Use and Access) Act's new data protection complaints requirements
- The Data (Use and Access) Act 2025 and the new right for individuals to complain to controllers
- The Data (Use and Access) Act 2025: cookies, what is changing and what you need to know
- Make a complaint: our data protection complaints framework