The Data (Use and Access) Act brought changes to the cookie regime under the Privacy and Electronic Communications Regulations (PECR) which came into force on 5 February 2026. The ICO describes cookies as “small pieces of information, normally consisting of just letters and numbers, which online services provide when users visit them. Software on the user's device (for example a web browser) can store cookies and send them back to the website next time they visit”. Cookies are used in numerous ways such as remembering what’s in a shopping basket when shopping for goods online and supporting users to log in to a website or tracking users' browsing behaviour and can be useful because they allow a website to recognise a user’s device. Cookies are widely used in order to make websites work more efficiently, as well as to provide information to the owners of the site. ICO final guidance is expected shortly on the changes to cookie laws under the DUAA and we discuss here what has changed as well as the practical steps businesses might consider undertaking now to remain compliant with cookie laws.
Pre DUAA
Before the DUAA, there was a general prohibition on the use of setting cookies to store or access information on a user device unless consent had been given, or the user had been provided with clear and comprehensive information about the purposes of the storage of, or access to, that information. Organisations were only permitted to set cookies and other tracking/storage technologies on a user’s device without the user’s consent where cookie use was:
- strictly necessary for providing the service to the user (such as “essential” cookies);
- the sole purpose is for transmitting communications over an electronic communications network; and
- any other use of cookies or other tracking and storage technologies would still need the user’s informed consent before the technologies can be used.
What has changed?
From 5 February 2026, consent is no longer required for certain categories of cookies and similar technologies, including:
- cookies used solely for statistical or analytics purposes, where the data is used only by the website operator;
- cookies used to customise appearance or functionality, such as accessibility or display preferences; and
- cookies used to enable emergency assistance, such as location data for emergency services.
In relation to the first two exemptions, the website operator must provide clear and comprehensive information about the purpose of the tracking and a new right to opt out free of charge. In addition, changes to the means by which a subscriber or user may signify their consent to cookies includes: amending or setting controls on the internet browser which the subscriber or user uses or using another application or programme. Even with the new exceptions, where information is collected and shared with third parties for advertising purposes, this will still be caught by the general PECR prohibition and will still require user consent.
Penalties
One of the most significant changes under the DUAA is the increase in PECR penalties. The maximum fine for breach of cookie and electronic marketing rules has been raised from £500,000 to £17.5m or 4% of global annual turnover, placing PECR on a par with UK GDPR enforcement.
Practical steps for businesses
With the DUAA cookie provisions in force now and ICO final guidance expected imminently, businesses might consider prioritising the following actions:
- conduct an audit of cookies and tracking technologies to check if a new exemption applies;
- update cookie notices or banners/privacy information to reflect new exemptions and consent requirements;
- review consent mechanisms - where consent is still required, ensure non‑essential cookies are blocked by default;
- align PECR and GDPR governance - ensure records of processing (ROPAs) reflect cookie‑based processing where personal data is involved and update DPIAs where analytics or tracking significantly affect individuals; and
- monitor ICO guidance and enforcement.
The new DUAA cookie rules offer greater flexibility for low‑risk uses while substantially increasing the consequences of non-compliance with a new penalty regime, as discussed above. There are practical steps to take now as the final ICO guidance is expected which we will be monitoring; for further information on the key changes brought in by the DUAA, see our article The Data (Use and Access) Act 2025: key reforms in force.
