
Cookie Consent Changes Under the Data (Use and Access) Act 2025 - New Exemptions and Higher Fines
The Data (Use and Access) Act 2025 (DUAA) has rewritten the UK's cookie consent rules. From 5 February 2026, certain low-risk cookies, including first-party analytics and cookies that remember how a website looks for a user, no longer require consent under the Privacy and Electronic Communications Regulations (PECR).
The same date brought a much sharper edge to enforcement. The old PECR penalty cap of £500,000 has gone. Breaches of the cookie rules can now attract fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher, the same levels as the UK GDPR.
The Information Commissioner's Office (ICO) finalised its guidance on storage and access technologies on 29 April 2026, after two consultations. That guidance sets out how the regulator expects the new exceptions to work in practice.
Every UK website now needs to review its cookie banner and cookie policy. Some businesses can simplify their banners. All businesses face higher penalties if they get the rules wrong.
The changes come from section 112 and Schedule 12 of the DUAA, which insert a new Schedule A1 into PECR, and from section 115 and Schedule 13, which overhaul enforcement. Both were commenced on 5 February 2026 by the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026. The ICO's expectations are set out in its guidance on the use of storage and access technologies.
Why This Matters
Since 2003, PECR has required consent before storing or accessing information on a user's device, with narrow exceptions for communications and strictly necessary cookies. That rule shaped every cookie banner in the UK. Analytics tools, preference cookies and personalisation features all needed an opt-in.
The DUAA changes that model for specific low-risk purposes. Statistical and appearance cookies move from opt-in consent to an opt-out approach, provided strict conditions are met. Banners built around the old rules will often ask for consent they no longer need, or fail to offer the objection mechanism the new exceptions demand.
The risk calculation has also changed. Under the old regime, the largest PECR fine the ICO could issue was £500,000, and cookie enforcement was rare. With fines now aligned to UK GDPR levels and fresh guidance in place, the cost of a non-compliant banner or an out-of-date cookie policy is far higher.
1. The Statistical Purposes Exception
New paragraph 5 of Schedule A1 to PECR removes the consent requirement for cookies used to collect statistical information about how a service or website is used, with a view to making improvements. This is the exception most businesses will care about, because it covers audience measurement and first-party analytics.
The conditions are precise. The sole purpose of the cookie must be collecting statistics to improve the service or the website. The user must be given clear and comprehensive information about the purpose. The user must also be given a simple means of objecting, free of charge, and must not have objected.
There is a sharing restriction too. Information collected under this exception cannot be shared with any other person, except to enable that person to assist with making improvements to the service or website. Analytics data passed to a third party for its own purposes, such as advertising or profiling, takes the cookie outside the exception entirely.
Paragraph 5(3) contains a practical concession for repeat visits. Where the same cookie is used for the same purpose on more than one occasion, the information and objection requirements only need to be met on the initial use.
2. Website Appearance and Functionality Cookies
Paragraph 6 of Schedule A1 creates a parallel exception for websites. Consent is not needed where the sole purpose of the cookie is to adapt how the website appears or functions to the user's preferences, or otherwise to enhance the website's appearance or functionality on that device.
Typical examples include cookies that remember a dark mode setting, a language choice, a font size or a preferred layout. As with the statistical exception, the user must receive clear and comprehensive information and a simple, free means of objecting, and must not have objected.
The DUAA also restates the strictly necessary exception. Cookies needed to provide a service the user has requested remain exempt, and the new Schedule A1 expressly recognises purposes such as security, fraud prevention, fault detection and user authentication. A further narrow exception covers location data used to provide emergency assistance.
3. What Still Requires Consent
The consent rule has not disappeared. Advertising and targeting cookies still require prior consent, as do social media pixels, cross-site tracking technologies and any cookie used to build profiles for marketing. Nothing in the DUAA legalises tracking users around the web without asking.
Analytics cookies also fall back into consent territory whenever the conditions fail. If the data is used for anything beyond improving the service, or is shared with a third party for that third party's own purposes, the statistical exception does not apply and consent is required.
Remember that PECR is only half the picture. Where cookies collect personal data, the UK GDPR still applies to that processing, so the business needs a lawful basis, transparency information and appropriate retention limits even where PECR consent is no longer required.
4. PECR Fines Rise to UK GDPR Levels
Section 115 and Schedule 13 of the DUAA replace the old PECR enforcement regime. They apply the Information Commissioner's enforcement powers under Parts 5 to 7 of the Data Protection Act 2018 to PECR, with modifications, from 5 February 2026.
Schedule 13 places breaches of regulation 6, the cookie rule, in the higher penalty band. Under section 157 of the Data Protection Act 2018, that means a maximum fine of £17,500,000 or 4% of total annual worldwide turnover in the preceding financial year, whichever is higher.
The contrast with the old regime is stark. Before the DUAA, PECR monetary penalties were capped at £500,000 regardless of the size of the business. The new maximum is 35 times larger before turnover is even considered.
Cookie Consent Changes at a Glance
| Change | Was | Now |
|---|---|---|
| First-party analytics cookies | Prior consent required | Exempt if used solely to improve the service, with clear information and a simple, free right to object |
| Appearance and functionality cookies | Prior consent required | Exempt for websites, with clear information and a right to object |
| Advertising and tracking cookies | Prior consent required | Prior consent still required |
| Sharing analytics data with third parties | Covered by consent wording | Only permitted to help improve the service or website, otherwise consent needed |
| Maximum PECR fine | £500,000 | £17.5 million or 4% of annual worldwide turnover, whichever is higher |
| Enforcement framework | Separate PECR regime | Data Protection Act 2018 powers applied to PECR with modifications |
| ICO cookie guidance | Draft guidance under consultation | Finalised guidance published 29 April 2026 |
What Businesses Must Do
- Audit every cookie and tracking technology on your website, including pixels, scripts and local storage, and record its purpose, provider and duration. The new exceptions are purpose-based, so you cannot classify anything until you know what each cookie does.
- Map each cookie to a legal route: strictly necessary, statistical, appearance and functionality, or consent. Be honest about mixed purposes; a cookie used for both analytics and advertising needs consent.
- Check your analytics configuration and contracts before relying on the statistical exception. Confirm that data is not shared with the provider or anyone else for their own purposes, and document that assessment.
- Rebuild your consent banner to match your new classification. Exempt cookies no longer need an opt-in toggle, but users must still be told about them and offered a simple, free way to object.
- Provide a working objection mechanism for statistical and appearance cookies, such as a settings control that is easy to find and takes effect immediately. The exception fails without it.
- Rewrite your cookie policy to describe the new categories, the exceptions you rely on, the conditions you meet and how users can object. A policy that still describes the pre-2026 consent model is inaccurate.
- Keep evidence of the review, including the cookie audit, the classification decisions and the dates changes went live. If the ICO asks questions, contemporaneous records are your best defence.
Common Errors to Avoid
- Removing the cookie banner entirely. Most commercial websites still run advertising or social media tags that need prior consent, so scrapping the banner puts you in breach of regulation 6 at the new fine levels.
- Treating all analytics as exempt. The statistical exception only covers data used to improve your own service or website. Analytics that feeds advertising platforms or third-party products still needs consent.
- Ignoring the objection requirement. The exemptions are conditional. Without clear information and a simple, free means of objecting, an otherwise exempt cookie is unlawful.
- Forgetting the UK GDPR. Dropping the PECR consent box does not remove the need for a lawful basis, privacy information and retention limits for any personal data the cookie collects.
- Leaving the old cookie policy live. A policy that tells users you seek consent for analytics while your banner no longer does undermines transparency and invites complaints to the ICO.
Enforcement and the ICO's New Powers
From 5 February 2026 the ICO enforces PECR using the Data Protection Act 2018 toolkit, applied with modifications. That includes information notices, assessment notices, enforcement notices and penalty notices, giving the regulator the same machinery for cookies as it has for UK GDPR breaches.
For the cookie rule in regulation 6, the higher maximum penalty applies: £17.5 million or 4% of annual worldwide turnover. Certain other PECR contraventions attract the standard maximum of £8.7 million or 2% of turnover. Fines remain discretionary, and the ICO weighs the seriousness of the breach, harm to individuals and the steps taken to comply.
The finalised guidance of 29 April 2026 shows where the regulator's attention will fall. It added new sections on what counts as a simple means of objecting and on using one technology for multiple purposes, which suggests the ICO expects businesses to test their objection mechanisms and their purpose claims carefully.
How Policy Pros Can Help
Policy Pros helps UK businesses bring their websites and documentation in line with the post-DUAA rules. Our cookie policy writing service produces a policy that reflects the new exceptions, the conditions attached to them and the objection rights users now hold. We pair this with privacy policy writing so your UK GDPR transparency information matches what your cookies actually do.
If you are working through the wider reforms, our DUAA changes 2026 employer guide explains the Act's main measures for businesses, and our guide to DUAA privacy notice updates covers the documents that need revising alongside your banner. For the underlying rules, see our explainer on cookie compliance under UK GDPR and PECR.
A short review now is far cheaper than a regulatory dispute later. Get in touch and we will audit your cookie documentation against the February 2026 rules and the ICO's finalised guidance.
Frequently Asked Questions
Do I still need a cookie banner for analytics cookies?
Not necessarily a consent banner, but you cannot stay silent either. Since 5 February 2026, first-party analytics cookies used solely to improve your service are exempt from PECR consent, provided you give users clear information and a simple, free way to object. If your analytics data is shared with third parties for their own purposes, consent is still required.
When did the DUAA cookie changes come into force?
The new cookie exceptions and the higher PECR fines both took effect on 5 February 2026. They were commenced by the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026, and the ICO finalised its supporting guidance on 29 April 2026.
What is the maximum fine for cookie breaches under PECR now?
Breaches of the cookie rule in regulation 6 of PECR can now attract a fine of up to £17.5 million or 4% of total annual worldwide turnover, whichever is higher. Before the DUAA reforms took effect, the maximum PECR penalty was £500,000.
Does the new analytics exemption cover tools like Google Analytics?
Only if strict conditions are met. The statistical exception requires that data is used solely to improve your service or website and is not shared with anyone else except to assist with those improvements. Many third-party analytics configurations share data for the provider's own purposes, which would take them outside the exemption, so check your settings and contracts before removing consent.
Do marketing and advertising cookies still need consent in the UK?
Yes. The DUAA exemptions only cover low-risk purposes such as statistics, appearance and functionality. Advertising, targeting and cross-site tracking cookies still require prior consent under regulation 6 of PECR, and the fines for getting this wrong are now much higher.