What the Data Use and Access Act Changes About Cookies
The UK Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025 and represents the most significant reform to UK cookie rules since PECR came into force in 2003. The key cookie-related provisions commenced on 5 February 2026, amending Regulation 6 of the Privacy and Electronic Communications Regulations (PECR) to introduce five specific exemptions from the requirement to obtain consent before storing or accessing information on a user's device.
Before this Act, UK cookie law mirrored the EU position almost exactly: consent was required for all cookies except those strictly necessary to provide a service the user requested. The DUAA widens that list.
The PECR maximum fine has also been raised from GBP 500,000 to GBP 17.5 million or 4% of annual global turnover, bringing it in line with UK GDPR penalty thresholds. Getting cookie compliance wrong now carries a much heavier price tag.
The Five New Cookie Exemptions Under Amended PECR
The DUAA does not remove the general requirement for cookie consent. It carves out five categories where consent is not needed, provided certain conditions are met. Each exemption is purpose-limited, meaning the moment a cookie serves a purpose outside its stated exemption, consent becomes mandatory again.
1. Communication Exception
This exemption covers cookies used solely for the transmission of a communication over an electronic network. The storage or access technology must be technically impossible to replace, and it must serve one of three functions: routing identification, ordered data exchange, or error detection. This is a narrow, technical exemption that applies to infrastructure-level operations rather than anything a typical website owner configures.
2. Strictly Necessary Exception
This is the existing exemption, now formally codified alongside the new ones. It applies when a cookie is essential to provide a service the user has explicitly requested. Shopping basket cookies, authentication tokens like PHPSESSID, and security cookies qualify. Advertising, cross-device tracking, and social media plugins do not, even if a site owner considers them important to the business.
3. Statistical Purposes Exception
The most discussed new exemption. If the sole purpose of a cookie is to collect aggregate statistical information about how a service is used, with a view to making improvements, consent is no longer required. This covers basic analytics cookies - but with strict conditions outlined below.
4. Appearance Exception
Covers cookies that adapt how a service appears or functions based on a user's preference. Language selection cookies such as pll_language, theme preferences, and responsive layout settings fall under this exemption. Personalising content based on inferred interests or browsing behaviour does not qualify.
5. Emergency Assistance Exception
A narrow exemption for technologies that identify a device's geographical position to provide emergency assistance. This applies to eCall systems, GPS safety alarms, and similar technologies activated when a user initiates an emergency request.
What the Analytics Exemption Actually Allows
The statistical purposes exception has generated the most interest, particularly from marketers and website owners who want to run Google Analytics without a consent prompt. The reality is more limited than many expect.
The ICO has been direct about the scope. The exemption applies only when the sole purpose is understanding how visitors interact with your service to make improvements. It is not a broad exemption covering all analytics technologies or use cases. The ICO states it covers how your service is used, not who uses it.
Advertising-related analytics sit entirely outside this exception. If your analytics setup feeds data into ad targeting, remarketing audiences, or conversion modelling, consent remains mandatory under PECR.
Conditions for Using the Analytics Exemption
Four conditions must all be met simultaneously:
- The data must be used only to improve your own website or service
- The resulting information must be aggregate and must not identify individuals
- You must provide clear and comprehensive information about what data is collected and why
- You must offer a simple and free mechanism for users to object (opt out)
Without all four conditions in place, the exemption does not apply and consent is required.
Can You Use Google Analytics Without Consent Under the DUAA?
This depends entirely on your configuration. Google Analytics 4 in its default setup collects data that goes beyond aggregate statistics. Features like User-ID tracking, Google Signals, and advertising integrations mean that a standard GA4 implementation does not meet the conditions of the statistical purposes exception.
If you disable advertising features, switch off Google Signals, avoid User-ID, aggregate data quickly, and do not retain individual-level data longer than necessary, a third-party analytics provider may qualify. The ICO acknowledges that third-party providers can be used under this exception, so long as the data serves only your site improvement purposes and is not pooled or repurposed by the provider.
Privacy-preserving analytics tools such as Plausible, Fathom, or Matomo in cookieless mode are more likely to fit within the exemption by default, as they are designed around aggregate, non-identifying data collection.
Exemptions at a Glance: Conditions and Requirements
| Exception | Purpose | Transparency Required | Opt-Out Required | Common Examples |
|---|---|---|---|---|
| Communication | Transmission of a communication | No | No | Load balancing, routing |
| Strictly Necessary | Essential to deliver requested service | Yes | Yes | PHPSESSID, cart cookies |
| Statistical Purposes | Aggregate usage data to improve service | Yes | Yes | Page views, session counts |
| Appearance | User preference for display or function | Yes | Yes | pll_language, dark mode |
| Emergency Assistance | Device location for emergency help | Yes | Yes | eCall, GPS safety alarms |
Transparency and Opt-Out: Still Mandatory
A common misunderstanding is that exempt cookies require no user-facing action at all. That is incorrect. Four of the five exemptions (all except Communication) require you to provide clear and comprehensive information about what data is collected and why, and to give users a simple, free way to object.
This means your cookie banner does not disappear. It changes shape. Rather than asking for opt-in consent for analytics, you inform users that analytics cookies are active and provide a visible opt-out mechanism. The opt-out must be genuinely simple - buried settings pages or multi-step processes will not satisfy the requirement.
Your cookie policy should be updated to reflect which cookies fall under each exemption and how users can exercise their right to object.
How the DUAA Differs from EU Cookie Rules
The DUAA creates a clear divergence between UK and EU cookie law. Under the ePrivacy Directive, the EU still requires prior consent for all non-essential cookies, with no general analytics exemption. The proposed EU Omnibus Directive may eventually introduce similar simplifications, but nothing is in force yet.
For websites serving both UK and EU audiences, this divergence means maintaining two different consent models. Analytics cookies might be placed without consent for UK visitors while still requiring opt-in for visitors in EU member states. Geo-detection in your consent management platform becomes essential to apply the correct rules to each visitor.
Key Differences Between UK and EU Cookie Rules Post-DUAA
| Aspect | UK (Post-DUAA) | EU (ePrivacy Directive) |
|---|---|---|
| Analytics cookies | Exempt if aggregate-only, with opt-out | Consent required (opt-in) |
| Functional/appearance cookies | Exempt with opt-out | Consent required unless strictly necessary |
| Maximum fine | GBP 17.5m or 4% turnover | Varies by member state |
| Opt-out mechanism | Required for exempt cookies | Not applicable (consent model) |
| Regulatory guidance | ICO updated guidance (Spring 2026) | EDPB guidelines |
Practical Steps to Prepare Your Website
The DUAA provisions are already in force, so action is needed now rather than later. Start by auditing your current cookie inventory to identify which cookies genuinely qualify for an exemption.
Run a cookie scan to get a full picture of what your site sets. Many website owners discover cookies from third-party scripts they were not aware of - these cannot be claimed under any exemption without first understanding what they do.
For analytics, review your configuration carefully. If you use GA4, document which features are enabled and whether your setup meets every condition of the statistical purposes exception. If it does not, you have two options: reconfigure GA4 to strip out identifying and advertising features, or continue collecting consent for analytics as before.
Update your cookie banner to reflect the new model. For exempt cookies, switch from an opt-in prompt to a clear notice with opt-out capability. For marketing cookies and any analytics that do not qualify, continue using opt-in consent.
Ensure your consent records capture opt-out requests as well as opt-in choices. The ICO may request evidence that you provided an adequate opt-out mechanism during any investigation.
Frequently Asked Questions
Do I still need a cookie banner after the DUAA?
Yes. The DUAA removes the consent requirement for certain cookie categories but still requires you to inform users and provide an opt-out. Your banner must explain which cookies are set and offer a way to object.
Can I run Google Analytics without consent under the UK DUAA?
Only if you disable advertising features, Google Signals, and User-ID tracking, and ensure the data remains aggregate. A default GA4 setup does not qualify for the analytics exemption.
Does the analytics cookie exemption apply to marketing cookies?
No. The statistical purposes exception explicitly excludes advertising, remarketing, and any analytics tied to ad targeting. Marketing cookies still require opt-in consent.
What happens if a user opts out of exempt analytics cookies?
You must stop collecting data from that user. The opt-out mechanism must be simple and free, and you must honour it immediately.
Does the DUAA apply to websites outside the UK?
PECR applies to anyone sending electronic communications or using cookies in relation to UK users. If your website targets UK visitors, the DUAA amendments apply to you.
Are functional cookies now exempt from consent in the UK?
Cookies that adapt appearance or functionality based on a stated user preference are exempt under the Appearance exception. Personalisation based on inferred behaviour still requires consent.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
