Every UK WooCommerce store needs a documented complaints procedure operating from 19 June 2026. The DUAA’s new individual right to complain has a 30-day acknowledgment clock and no grace period for stores that didn’t read the back half of the act. Most operators fixated on the February cookie deadline and missed this one. The clock starts the day a complaint arrives, not the day you read it.
The Deadline Hidden Behind February
The Data (Use and Access) Act 2025 had two effective dates that mattered. Bird & Bird’s reform analysis sets them out clearly: main provisions on 5 February 2026, with the new individual right to complain following on 19 June 2026.
The February date got the headlines. Cookie reform, statistical purposes exception, ICO investigative power upgrades — all the cookie-banner conversations the industry has been having. The June date got the back of the memo, somewhere after the institutional reform notes and before the appendix.
That mismatch matters because the June obligation is operational, not strategic. It needs a procedure document, an internal owner, an inbox or form, a logging system, and a response workflow. It cannot be retrofitted in 48 hours when the first complaint arrives.
The fixation on the cookie reform turned the operational deadline into the silent one.
What the 30-Day Acknowledgment Clock Actually Does
The new right works in two parts. A complainant submits a complaint to the controller. The controller has 30 days to acknowledge receipt and must respond without undue delay after that.
The acknowledgment clock is the part stores misread. Acknowledgment is not response. The 30 days is the deadline to confirm the complaint has been received and is being handled. The substantive response comes later, on the “without undue delay” standard.
The clock starts when the complaint arrives at the controller, however it arrives. If the procedure tells users to email , the clock starts the moment the email lands in that inbox. If nobody monitors the inbox for two weeks, the clock keeps running. The store has used 14 of its 30 days before anyone has even seen the message.
That is the operational risk. A complaints procedure with no monitoring routine is a legal liability dressed up as compliance.
What the ICO Says the Procedure Should Contain
The Bird & Bird summary of the autumn 2025 draft ICO guidance describes what regulators expect to see published. Two distinct items: how a complaint can be submitted, and how the controller will process it once received.
The submission piece is straightforward. A clear channel — email address, web form, or both — and any required information for the complainant to provide. The processing piece is the part most stores haven’t built yet. It needs to cover:
- Who receives the complaint internally and within what timeframe.
- How acknowledgment is sent and what it contains.
- How the substantive review happens, who decides, and on what evidence.
- How the complainant is informed of the outcome and the reasons for it.
- The complainant’s right to escalate to the ICO if they are unsatisfied.
The procedure has to be documented and accessible. ICO draft guidance recommends publishing it — not just having it on file internally — so a user submitting a complaint can see what is going to happen with it.
You may be interested in: UK PECR Fines Just Jumped From £500k to £17.5 Million on February 5
The Audit Trail Is the Artifact That Survives
A procedure document on its own is not what the regulator inspects. The audit trail is. Each complaint received, when it arrived, when it was acknowledged, who handled it, what evidence they reviewed, what outcome was reached, and when the complainant was told.
Clifford Chance’s read of the expanded ICO powers makes the inspection question concrete. The regulator can compel interviews, demand audit access, and issue stop orders. The audit trail is what gets requested when an investigation begins.
For a WooCommerce store, the practical setup is a numbered ticketing log — spreadsheet, helpdesk system, or database — with one row per complaint and dated columns for each procedural milestone. The format matters less than the discipline of recording every step on the day it happens.
If a complaint takes 60 days to resolve, the audit trail explains why. If it takes 6 days, the audit trail proves it. If the complaint never gets handled, the audit trail is what is missing — and that is the failure mode the ICO will look for first.
You may be interested in: The 30-Minute GTM Container PECR Audit Every UK WooCommerce Store Should Run This Week
The Three Roles a Small Store Has to Assign
The procedure needs three roles, even if one person fills all of them.
Receiver: the inbox or form owner. Their job is to confirm a complaint has arrived, log it, and start the acknowledgment clock. This is monitoring, not decision-making.
Handler: the person who reviews the substance, gathers any internal evidence, and proposes a resolution. For most WooCommerce stores this is the founder or operations lead. The role can be combined with the receiver but the responsibilities should be written down separately.
Final decider: the person who signs off the response and authorises any remedial action. For a sole-founder store this is the founder. For a small team this is whoever has authority to commit the business to the resolution.
Three named roles, even if one person fills all three. The procedure needs to say who, not just what.
Here’s How You Build the Underlying Data Picture
A complaints procedure is only as defensible as the data the store can produce when asked. Transmute Engine™ is a first-party Node.js server that runs on your subdomain and routes WooCommerce events through your own infrastructure before they reach any third party. When a complainant asks what data was collected, when, and where it went, the answer comes from a system the store actually controls — not from the export logs of a vendor whose retention rules might not match the regulator’s question.
Key Takeaways
- Hard deadline: 19 June 2026. The DUAA individual right to complain becomes operative.
- 30-day acknowledgment clock starts the day the complaint arrives, not the day someone reads it.
- Two distinct documents: how to submit a complaint, and how the controller processes it after receipt.
- The audit trail is the artifact the regulator inspects — one row per complaint with dated procedural milestones.
- ICO has expanded powers to compel interviews, demand audits, and issue stop orders if the procedure fails.
Frequently Asked Questions
19 June 2026. The DUAA’s individual right to complain provision became operative four months after the main act took effect on 5 February 2026. Every UK data controller, including WooCommerce stores serving UK customers, has to have a documented complaints procedure operating by that date.
A complainant has to receive an acknowledgment within 30 days of submitting their complaint. The clock starts the day the complaint arrives at the store — through whatever channel — not the day someone reads it. If the complaint sits in an unmonitored inbox for two weeks, you have 16 days left, not 30.
Yes. The privacy notice describes how data is handled. The complaints procedure tells users how to complain about that handling and what happens after they submit. ICO draft guidance specifically recommends publishing both the submission method and the processing process — they are different documents serving different functions.
DUAA expanded ICO powers significantly. They can compel interviews, demand audit access, and issue stop orders forcing the controller to halt processing. The complaints right is enforceable, and the regulator now has tools to test whether the procedure exists and works.
How a complaint can be submitted, who receives it, the acknowledgment timeline, the steps for handling, who decides the outcome, how the user is informed of the resolution, and the user’s right to escalate to the ICO if unsatisfied. The audit trail recording each complaint and its handling is the artifact the regulator will ask to see.
Build the procedure before June 19, not after the first complaint arrives. Seresa helps UK WooCommerce stores get the underlying data architecture right so the audit trail holds up.
