The DUAA 2025 and Cookies: What Changed
The Data (Use and Access) Act 2025 amended PECR to exempt three narrow categories of low-risk cookies from consent, and raised the maximum fine to match UK GDPR. The cookie changes came into force on 5 February 2026. First-party analytics, interface appearance and emergency assistance no longer need prior consent, provided you meet the conditions. Advertising, marketing and cross-site tracking still need consent to the UK GDPR standard.
The Act relaxed a small band of cookies and made getting the rest wrong far more expensive. Both halves matter.
The three new exceptions
The DUAA 2025 added three exceptions to PECR. Two of them carry a condition: you must tell visitors and give them a simple, free way to object.
| Exception | What it covers | Condition |
|---|---|---|
| Statistical (first-party analytics) | Measuring how your own service is used, to improve it | Inform visitors and offer a simple, free opt-out. No advertising, profiling or cross-site tracking, and no data shared with a third party |
| Appearance and functionality | Remembering interface preferences such as language or dark mode | Inform visitors and offer a simple, free opt-out |
| Emergency assistance | Determining a user's location to provide emergency help | Rarely applies to commercial sites |
The statistical exception is narrower than it sounds. The moment analytics data goes to a third party, or feeds advertising, profiling or cross-site tracking, the exception falls away and consent applies again.
What still needs consent
Most tracking on a commercial site still needs prior consent:
- Advertising, marketing and retargeting cookies.
- Cross-site tracking and profiling.
- Third-party analytics, where data is shared with a provider such as Google. A standard Google Analytics setup shares data with Google, so it sits outside the first-party exception. See is Google Analytics GDPR compliant?.
Higher fines
The DUAA 2025 aligns PECR penalties with the UK GDPR. The maximum rises from £500,000 to £17.5 million or 4% of global annual turnover, whichever is higher, and the previous requirement to show substantial damage or distress is removed. The ICO has said it will issue new PECR enforcement guidance once the new regime is in force. See PECR fines and penalties.
Sources
- Data (Use and Access) Act 2025 (legislation.gov.uk)
- PECR (legislation.gov.uk)
- ICO guidance on storage and access technologies
Frequently asked questions
When did the DUAA 2025 cookie changes take effect? The cookie changes came into force on 5 February 2026. The ICO finalised its supporting guidance on 29 April 2026.
Do the new exceptions remove the need for a cookie banner? No. They exempt first-party analytics, interface preferences and emergency assistance on strict conditions. Advertising and cross-site tracking still need consent, so most commercial sites still need a banner. See UK cookie law explained.
What does the analytics exception actually cover? Analytics used only by you, to understand and improve your own service, with a simple free opt-out. It does not cover analytics shared with a third party or used for advertising.
Written by Tudor Rusmanica, founder of Consentfolio. Tudor has spent over a decade in agency SEO, working where search performance meets data protection: the analytics, tagging and consent setups that keep measurement useful and lawful. Connect on LinkedIn.
Published 13 July 2026. Reviewed against the DUAA 2025 and the ICO's April 2026 guidance. This guide is general information, not legal advice.