The EU Data Act, formally adopted in 2023 and entering into force in 2025, is a key legislative component of the European Union’s broader data strategy. It regulates access to and use of non-personal data generated by connected devices (IoT), services, and products within the EU.
The Act is designed to prevent consumer lock-in, whereby manufacturers and service providers retain control over data generated by connected devices. The idea is to promote competition and better service for consumers, which also involves protecting consumers’ data and right to consent to how it is used.
Ultimately the Act is about sharing data. But another aspect of this fair access data-sharing mandate is safeguarding user consent around any personally identifying data. Businesses are required to implement mechanisms to keep users informed and to obtain their consent. Compliance involves putting contractual, technical, and organizational measures in place to allow fair, secure, and interoperable data sharing and to document how this data, and consent, is managed.
To ensure compliance:
Contract review:
Review all contracts involving data sharing, particularly with third parties or across jurisdictions
Data review:
Assess your data collection methods: Is data generated by devices shared transparently?
Assess access and portability:
Implement data portability and access mechanisms as outlined in the Act
Check data governance:
Evaluate your internal data governance policies and align them with the Act’s interoperability, security, and transparency requirements
Monitor consent status:
Continue to ensure that user consent is secured and auditable
Both EU and non-EU companies must comply with the EU Data Act if they offer services or products within the EU market.
The Act applies to:
Manufacturers of connected products and digital services
Users of connected/IoT products within the EU
Data holders (entities that control access to data)
Public sector bodies requesting data in emergencies or for public interest use
The EU Data Act confers a number of data privacy rights to consumers, including:
Consumers can access data generated by their connected products and services
Consumers can share data with any third party of their choosing, excluding gatekeepers as defined by the Digital Markets Act (DMA)
Consumers’ data can be ported to new providers
Consumers are protected against unfair contract terms related to data access, use, liability and remedies
Consumers are entitled to transparency in data use and porting
Consumers have a right to harmonized standards or common specifications to avoid technical or contractual lock-in
While cookies fall under the ePrivacy Directive and GDPR, the EU Data Act could indirectly affect cookie use, especially when cookie-collected data is integrated with non-personal data from connected devices. Businesses should evaluate how cookies and tracking technologies contribute to broader data ecosystems and ensure transparency in their use, especially when aggregating data for analytics or service improvements.
While each EU member state will designate supervisory authorities, penalties for non-compliance can include:
Administrative fines
Contractual liability
Exclusion from public contracts
Reputational damage
Compliance with the EU Data Act can be achieved by taking a few key actions:
Review data practices for consent:
Ensure that you obtain explicit, informed consent before storing or accessing non-essential cookies.
Provide clear choices:
Allow users to accept or reject different categories of cookies without influencing their choice and make consent withdrawal transparent.
Provide clarity about data collection:
Ensure that users are aware of data being collected and how it is being used.
Implement consent management:
Platforms like CookieHub provide an easy way to manage consumer consent for data processing.
A comprehensive consent management platform like can help with EU Data Act compliance by providing transparent, user-friendly tools to manage data access permissions, track consent records, and ensure that data is shared in accordance with users' rights and regulatory requirements.
The EU Data Act establishes a framework for fair access to and use of non-personal data generated by connected products and related services across the EU. It applies to businesses, public sector bodies, and users of connected devices, ensuring data can be accessed and shared in a secure, competitive, and transparent environment.
While the EU Data Act focuses on non-personal data, it acknowledges the General Data Protection Regulation (GDPR) as the main legal framework for personal data. Personal data refers to any information that can directly or indirectly identify an individual, such as names, identification numbers, location data, or online identifiers.
The EU Data Act does not redefine "sensitive data" but respects existing data protection laws. Under the GDPR, sensitive data includes information such as racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health information, and data concerning a person’s sex life or sexual orientation.
The enforcement of the EU Data Act is the responsibility of national authorities designated by each EU member state. These authorities will coordinate with the European Commission and other relevant EU bodies to ensure uniform application and compliance.
Micro and small enterprises (those with fewer than 50 employees and annual turnover or balance sheets below €10 million) are generally exempt from certain obligations of the Data Act, unless they are in contractual relationships with larger companies or are part of larger enterprise groups.
You can find more details on the European Commission’s official website, including the full text of the regulation, explanatory documents, and updates on implementation. You may also consult national data authorities for country-specific guidance.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
