Key Takeaways
- The Data (Use and Access) Act 2025 (DUAA) replaced UK GDPR Article 22 with new Articles 22A–22D on 5 February 2026, swapping the near-ban on solely-automated decisions for a "permitted-with-safeguards" regime (DUAA section 80, commenced by SI 2026/82).
- A store's automated fraud scoring, dynamic pricing and BNPL or credit checks can each be a "significant decision." If software decides the outcome with no meaningful human involvement, the new Article 22C safeguards apply.
- Article 22C sets four concrete duties: give the customer information about the decision, let them make representations, let them obtain human intervention, and let them contest it.
- The DUAA's new "recognised legitimate interests" basis covers crime and fraud prevention without a balancing test — but Article 22B bars using it as the basis for a solely automated significant decision, which catches automated fraud blocks.
- EU GDPR Article 22 has not changed — it remains a prohibition with three narrow exceptions — so a store selling into both markets now runs two automated-decision rulebooks. The CJEU's SCHUFA ruling (7 December 2023) confirmed that a score itself can be the "decision."
Introduction
Your checkout declines an order in under a second. A fraud-scoring model weighed the card, the delivery address and the basket, ruled the transaction high-risk, and the customer — who is not a fraudster — gets a curt "payment could not be processed." No human touched that decision. Until recently, UK law treated that kind of solely-automated call as something you could almost never make.
Since 5 February 2026, the rules are different. The Data (Use and Access) Act 2025 rewrote Article 22 of the UK GDPR, the provision that governs automated decisions. Most of the coverage so far speaks to HR and legal teams. This guide is for the store operator whose fraud engine, pricing algorithm and BNPL checkout are quietly making decisions the law now regulates — and it sets out exactly what you have to put in place.
This article is informational content, not legal advice. Automated-decision obligations turn on your specific processing; confirm the details with a qualified professional.
What the DUAA Changed About Automated Decisions
The DUAA replaced UK GDPR Article 22 in its entirety with four new provisions, Articles 22A to 22D, in force since 5 February 2026 (DUAA section 80, commenced by The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026, SI 2026/82). The old Article 22 gave people a right not to be subject to solely-automated significant decisions except in three narrow cases. The new regime inverts the default: such decisions are broadly permitted, provided you build in safeguards.
The UK government's own factsheet describes "a more permissive framework for making decisions based solely on automated processing that have legal or similarly significant effects." Travers Smith puts it more plainly: "the prohibition on automated decision-making has been substantially lifted," and organisations can now rely on ordinary lawful bases like legitimate interests, where "previously, only three narrow conditions permitted ADM." The catch is that permission arrives bundled with documentation duties and customer rights you have to deliver — and a savings provision in SI 2026/82 confirms the new rules apply only to decisions taken on or after 5 February 2026, so old decisions are judged under the old law.
What counts as a "significant decision" — and "solely automated"?
A decision is a "significant decision" under new Article 22A if it "produces a legal effect" for the customer or "has a similarly significant effect" on them. It is "based solely on automated processing" where "there is no meaningful human involvement in the taking of the decision." Both tests must be met before the safeguards bite.
That second test is the lever most stores can actually pull. New Article 22A directs you to consider, among other things, "the extent to which the decision is reached by means of profiling." Travers Smith's practical reading is that if a human "reviews and has the discretion to alter the decision, rather than simply rubber-stamping the machine's determination, then the processing falls outside the ADM rules." Genuine human review takes you out of scope; a box-ticking sign-off does not. Significance is also context-dependent: the ICO's draft 2026 guidance notes that "the same decision may be significant for some individuals, particularly children and other vulnerable groups, but not others."
Is Your Store Making "Automated Decisions"? Fraud, Pricing and BNPL
Probably yes, in at least one place. The three most common automated significant decisions in eCommerce are fraud screening that blocks or cancels an order, pricing that changes per person, and BNPL or credit checks at the point of sale. Whether each is caught turns on one question: does the software decide the outcome, or does a person?
Are automated fraud checks caught by the rules?
An automated fraud check is caught when it decides — for example, automatically declining or cancelling a payment. It generally sits outside the rules when it only flags a transaction for a human to review. Practitioner guidance frames the dividing line as "block" versus "flag": an automatic block creates the significant effect; a flag routed to a person does not.
Picture a mid-size electronics store — this is a composite illustration, not a real case. Its fraud model auto-cancels any order above a risk threshold, with no one in the loop. That is a significant decision made solely by automation, so the Article 22C safeguards apply. Change one thing — flagged orders now land in a queue where a support agent reviews the evidence and can release the order — and you likely fall outside the rules. But the review has to be real. An agent who approves whatever the model says, at a rate of one click per second, is rubber-stamping, and the "meaningful human involvement" test is not satisfied.
Can I use automated dynamic pricing under GDPR?
Personalised pricing is a significant decision when an algorithm sets what an individual pays with no human review. The ICO's draft 2026 guidance expressly lists "dynamic pricing" among the impacts on "behaviour and consumer choice" that can make a decision significant — so do not assume personalisation is automatically out of scope.
Where the line falls is not fully settled, and the ICO's guidance is still in draft. The conservative read: the more your pricing logic materially changes what a specific person pays, the more likely it is a significant decision that needs Article 22C safeguards. A blanket 10%-off code sent to everyone is not personalised decision-making. An engine that quotes one shopper a higher price than another based on their profile is a very different proposition, and privacy analysts treat an algorithm that "sets price with no human review" as almost certainly caught. Ordinary product recommendations usually are not significant — they nudge, they do not decide someone's financial position — but the ICO's own list is a reminder not to wave them through unexamined.
Do BNPL and instant-credit checks count?
A BNPL or instant-credit affordability check that auto-approves or declines a shopper is a textbook automated decision. The CJEU's SCHUFA ruling settled that the score itself — not just the lender's final yes or no — is the automated decision when a business draws strongly on it.
In Case C-634/21, decided 7 December 2023, the Court held that "the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes 'automated individual decision-making'" under Article 22, where a third party "draws strongly" on that value. The reasoning was effects-based: an insufficient probability value "leads, in almost all cases, to the refusal of that bank to grant the loan applied for." The transferable lesson for a store: if you plug in a third-party fraud or credit score that effectively determines the checkout outcome, the score is in scope, and "the vendor calculated it" does not move the obligation off you. SCHUFA is EU case law interpreting the original Article 22 — binding for your EU customers and persuasive context for the UK regime built on the same concepts.
The Four Safeguards You Must Put in Place (Article 22C)
Where a significant decision is made solely by automated means on non-special-category data, new Article 22C requires safeguards consisting of measures that let the customer do four things. Read straight from the statute, you must provide measures to:
- Give the customer information about decisions taken in relation to them.
- Enable them to make representations about such decisions.
- Enable them to obtain human intervention on the part of the controller.
- Enable them to contest such decisions.
In practice, that means a plain-language notice at or after the decision ("this order was declined by an automated fraud check"), a channel to put their side of the story, a route to a human who can look again, and a way to formally challenge the outcome. These are not optional extras bolted on after launch; they are the price of running the automated decision at all.
One boundary matters before you build. New Article 22B keeps significant decisions based on special-category data — health, biometrics, and the other Article 9 categories — tightly restricted: they need explicit consent, or to be necessary for a contract with Article 9(2)(g) engaged. Most store fraud and pricing models should not be touching special-category data. If yours does, stop and take specific advice before it goes live.
"Recognised Legitimate Interests": The Fraud Basis With a Catch
The DUAA added a new lawful basis — "recognised legitimate interests" (new Article 6(1)(ea)) — and its Annex 1 list includes the "crime" purpose: "detecting, investigating or preventing crime, or apprehending or prosecuting offenders." Law firms read this crime condition as the vehicle for fraud-related processing; as Crowell & Moring puts it, it can be used "for crime-related purposes (for example, money laundering and fraud)." Its appeal is real: recognised legitimate interests remove the legitimate-interests balancing test, the three-part assessment you would otherwise document.
But it does not remove everything, and it comes with a trap. You still have to show the processing is necessary and stay transparent about relying on the basis — the government's factsheet and law-firm guidance are consistent on that. The trap is in Article 22B: a significant decision may not be based solely on automated processing where the underlying processing relies, entirely or partly, on the Article 6(1)(ea) recognised-legitimate-interest basis. In plain terms, the very basis that looks perfect for fraud prevention is the one you cannot lean on to justify a solely automated fraud block. For that block you need a different footing — ordinary legitimate interests (with the balancing test you were hoping to skip), contract necessity, or consent — plus the Article 22C safeguards.
This is also where the UK and EU quietly split. Recognised legitimate interests are a UK-only invention; under EU GDPR, Article 6(1)(f) legitimate interests always require an individual balancing assessment. As Bratby Law observes, "the divergence from EU GDPR is now a permanent feature of the UK data protection regime."
UK vs EU: Two Rulebooks for the Same Checkout
For a store selling into both markets, the DUAA opened a genuine gap. EU GDPR Article 22 has not changed. It remains a prohibition on solely-automated significant decisions with only three exceptions — contract necessity, authorisation by law, or explicit consent — and it still demands safeguards including human intervention and the right to contest. The UK now permits far more, so long as you document it and deliver the Article 22C rights.
| Feature | UK (post-DUAA) | EU GDPR |
|---|---|---|
| Default for solely-automated significant decisions | Permitted with Article 22C safeguards | Prohibited except three exceptions (Art 22(2)) |
| Lawful bases available | Ordinary bases, including legitimate interests | Contract, legal authorisation, or explicit consent only |
| No-balancing-test fraud basis | Yes — recognised legitimate interests (Art 6(1)(ea)) | No equivalent |
| Recognised interests for a solely-automated decision | Not permitted (Art 22B) | N/A |
| Special-category-data decisions | Restricted (Art 22B) | Restricted (Art 22(4)) |
The practical read: keep a more permissive UK procedure that uses the new flexibility deliberately, and a tighter EU one that assumes the prohibition still stands. SCHUFA binds for your EU shoppers, so a scoring-driven auto-decline aimed at an EU customer needs to fit one of the three EU exceptions — not the UK's broader permission.
How to Make Your Automated Decisions Lawful, Step by Step
- Inventory your automated decisions. List every system that decides an outcome affecting a customer — fraud engine, pricing logic, BNPL or credit checks, account suspensions, chargeback holds. You cannot govern what you have not mapped.
- Apply the two Article 22A questions to each. Is it a significant decision (legal or similarly significant effect)? Is it solely automated (no meaningful human involvement)? Only the systems that answer yes to both are in scope.
- Where a human genuinely decides, document it. If a person reviews and can overturn the outcome, record how — that involvement may keep the process outside the rules, but only if it is real.
- Pick a lawful basis for the solely-automated ones — and remember Article 22B. You cannot use recognised legitimate interests for these. Choose ordinary legitimate interests, contract necessity, or consent, and write down why.
- Build the four Article 22C safeguards into the flow. A clear notice, a representations channel, a human-review route, and a contest mechanism — designed in, not bolted on.
- Check for special-category data. If a model uses Article 9 data, it falls under the stricter Article 22B limits; get advice before launch.
- Split UK and EU logic if you sell into both. Assume the EU prohibition for EU customers, and run the tighter playbook there.
- Keep the paper trail. Your data map, lawful-basis note, any DPIA, and the safeguard design are the evidence that turns "we complied" into proof.
Common Mistakes to Avoid
The worst mistake, by a distance, is assuming the DUAA "deregulated" automated decisions so you can now do as you like. For a store that was documenting nothing, it did the opposite of deregulate: it swapped a bright-line ban for an ongoing duty to inform, justify and offer human review. Below that, in order:
- Using recognised legitimate interests as the basis for an automated fraud block. Article 22B specifically forbids it. This is the single most likely compliance own-goal, precisely because the basis looks tailor-made for fraud.
- Treating a rubber-stamp as "human involvement." A reviewer who clicks approve on everything the model outputs is not meaningful human involvement, and the decision stays in scope.
- Applying UK permissiveness to EU customers. The EU prohibition is unchanged; a UK-style auto-decision aimed at an EU shopper is exposed.
- Forgetting that the score is the decision. SCHUFA is blunt on this — outsourcing scoring to a fraud or credit vendor does not outsource the Article 22 obligation.
How PrivacyForge Helps
Getting automated decisions right starts with knowing where they are. PrivacyForge's data mapping builds the inventory step 1 asks for — a live register of the systems making decisions about your customers, so a fraud engine or pricing model cannot hide in a plugin nobody documented. Compliance scoring flags the lawful-basis gaps, including the Article 22B trap where a solely-automated decision is leaning on the wrong basis. And the data-subject-request workflow gives you a ready channel for the "human intervention" and "contest" rights Article 22C requires, with every representation and review captured in an audit log. None of it automates the legal judgement away — but it turns a scattered set of algorithms into something you can actually govern and evidence. You can see the connected-systems view in our [AI governance dashboard walkthrough](/resources/blog/ai-governance-dashboard-managing-eu-ai-act-compliance).
Frequently Asked Questions
Does GDPR apply to my store's automated fraud checks?
Yes, when the check makes the decision. Under UK GDPR Article 22A (as amended by the DUAA) and EU GDPR Article 22, an automated fraud check that solely decides an outcome — such as auto-cancelling a payment — is a regulated automated decision. A check that only flags a transaction for a person to review generally falls outside the rules.
What did the DUAA change about automated decision-making?
The DUAA replaced UK GDPR Article 22 with new Articles 22A–22D on 5 February 2026. It lifted the near-total ban on solely-automated significant decisions, allowing them on ordinary lawful bases, but requires four safeguards: information about the decision, a right to make representations, a right to human intervention, and a right to contest (Article 22C).
Can I use automated dynamic pricing under GDPR?
Personalised pricing that sets what an individual pays with no human review can be a significant decision requiring Article 22C safeguards. The ICO's draft 2026 guidance lists dynamic pricing among impacts that can make a decision significant. A flat discount for everyone is not decision-making; an engine quoting different prices per person likely is.
Can I rely on "recognised legitimate interests" for automated fraud prevention?
Not for a solely-automated significant decision. The DUAA's recognised legitimate interests (Article 6(1)(ea)) cover crime and fraud prevention without a balancing test, but Article 22B bars using that basis to justify a decision made solely by automation. For an automated fraud block you need ordinary legitimate interests, contract necessity, or consent instead.
How are the UK and EU rules on automated decisions different now?
The UK permits solely-automated significant decisions on ordinary lawful bases with Article 22C safeguards. The EU has not changed: Article 22 still prohibits them except under contract necessity, legal authorisation, or explicit consent. A store selling into both markets should run two procedures and assume the stricter EU rule for EU customers.
Conclusion
The DUAA did not hand UK stores a free pass on automated decisions; it handed them a permission with strings — inform, offer human review, let people contest, and document all of it. The stores that struggle will be the ones that read "more permissive" as "unregulated," lean on recognised legitimate interests where Article 22B forbids it, or forget that their fraud vendor's score is legally their decision. Map the automated decisions you already make, put the four safeguards where the software decides, and keep a separate, tighter playbook for EU customers.
Start with the systems that decide, then check the rest of your obligations against our [eCommerce GDPR compliance checklist](/resources/blog/gdpr-compliance-for-ecommerce-practical-checklist). And if you handle UK subject access requests, the DUAA changed those too — see the new [DSAR "stop the clock" rules](/resources/blog/duaa-dsar-stop-the-clock-ecommerce).
Sources
- [Data (Use and Access) Act 2025, Section 80 (automated decision-making)](https://www.legislation.gov.uk/ukpga/2025/18/section/80)
- [Data (Use and Access) Act 2025 — new UK GDPR Articles 22A–22D (enacted text)](https://www.legislation.gov.uk/ukpga/2025/18/part/5/chapter/1/crossheading/automated-decisionmaking/enacted)
- [The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 (SI 2026/82)](https://www.legislation.gov.uk/uksi/2026/82)
- [Data (Use and Access) Act 2025, Schedule 4 (recognised legitimate interests)](https://www.legislation.gov.uk/ukpga/2025/18/schedule/4/data.xht?view=snippet&wrap=true)
- [GOV.UK — Data (Use and Access) Act 2025 factsheet: UK GDPR and DPA](https://www.gov.uk/government/publications/data-use-and-access-act-2025-factsheets/data-use-and-access-act-factsheet-uk-gdpr-and-dpa)
- [EU GDPR Article 22 — Automated individual decision-making, including profiling](https://gdpr-info.eu/art-22-gdpr/)
- [CJEU, Case C-634/21 SCHUFA (Scoring), 7 December 2023 — EUR-Lex case-law summary](https://eur-lex.europa.eu/eli/C/2024/913/oj/eng)
- [Travers Smith — The UK's data protection reforms take effect: a new era for automated decision-making](https://www.traverssmith.com/knowledge/knowledge-container/uks-data-protection-reforms-take-effect-a-new-era-for-automated-decision-making/)
- [Crowell & Moring — ICO publishes guidance on recognised legitimate interests](https://www.crowell.com/en/insights/client-alerts/pre-approved-ico-publishes-guidance-on-recognised-legitimate-interests)
- [Bratby Law — Recognised legitimate interests: DUAA UK/EU divergence](https://bratby.law/recognised-legitimate-interests-duaa-uk-eu-divergence/)
- [Burges Salmon — Automated decision-making: ICO consults on new guidance following DUAA reforms](https://www.burges-salmon.com/articles/102mruj/automated-decision-making-ico-consults-on-new-guidance-following-duaa-reforms/)