Guide

UK Cookie Law in 2026: PECR, the DUAA 2025 and Consent

By Published 13 July 2026

UK cookie law requires your website to obtain a visitor's consent before it sets non-essential cookies. The rules sit in the Privacy and Electronic Communications Regulations (PECR), amended by the Data (Use and Access) Act 2025 (DUAA 2025) from 5 February 2026. Consent must meet the UK GDPR standard: a freely given, informed choice, with rejecting cookies as easy as accepting them.

That one paragraph is the whole obligation. The rest of this guide explains where the line falls after the DUAA 2025, which cookies now sit outside consent, what the ICO expects from your banner, and what a breach costs.

Contents

Consent is the default. A cookie needs prior consent unless it falls inside one of five exceptions in PECR. The DUAA 2025 added three of them (Schedule A1 of PECR), which is the main change website owners need to understand.

Cookie purpose Consent needed? Basis
Strictly necessary (login, basket, security, load balancing) No PECR strictly necessary exception
Communication (transmitting data over a network) No PECR communication exception
First-party analytics, operator only No, if conditions are met New DUAA 2025 exception. You must tell users and offer a free opt-out. No advertising, profiling or cross-site tracking
Appearance and functionality (remembering UI preferences) No, if conditions are met New DUAA 2025 exception. You must tell users and offer a free opt-out
Emergency assistance No New DUAA 2025 exception
Advertising, marketing, retargeting, cross-site tracking Yes Prior consent to the UK GDPR standard
Third-party analytics (data shared with a provider, e.g. Google) Yes Falls outside the first-party analytics exception

The analytics exception is narrower than it looks. The ICO states it covers analytics about how your own service is used, by you alone. The moment the data goes to a third party or feeds advertising, profiling or cross-site tracking, consent applies again.

Sources: PECR (legislation.gov.uk), Data (Use and Access) Act 2025 (legislation.gov.uk), ICO guidance on storage and access technologies.

UK cookie law is the consent rule for cookies and similar technologies set out in Regulation 6 of PECR, read alongside the UK GDPR. PECR decides when you need permission to store or read information on a visitor's device. The UK GDPR sets the standard that permission has to meet.

"Cookies" is shorthand. The rule covers any storage and access technology: cookies, tracking pixels, local storage, device fingerprinting and tag-fired scripts. The ICO now uses "storage and access technologies" for exactly this reason, so a banner that only mentions cookies still has to account for pixels and fingerprinting.

Two regulators and instruments matter here. The ICO enforces PECR. Parliament amended PECR through the DUAA 2025. Everything below flows from those two.

What changed under the DUAA 2025?

The DUAA 2025 relaxed a narrow band of low-risk cookies and raised the cost of getting consent wrong. It came into force for cookies on 5 February 2026.

Three changes affect most websites:

  1. A first-party analytics exception. Cookies used solely to measure how your own site is used no longer need consent, provided you tell visitors and give them a free way to opt out. This exception does not cover advertising, profiling or cross-site tracking, and it does not cover analytics data shared with a third party.
  2. An appearance exception. Cookies that remember a visitor's interface preferences, such as language or dark mode, sit outside consent on the same information-and-opt-out terms.
  3. Higher fines. The Act aligns PECR penalties with the UK GDPR: up to £17.5 million or 4% of global annual turnover, whichever is higher, and it removes the requirement to show substantial damage or distress before the ICO acts. The ICO will issue new PECR enforcement guidance once the new regime is in force.

The DUAA 2025 also introduced an emergency assistance exception, which rarely applies to commercial sites.

What did not change matters as much. The EU has not relaxed its rules, so a site serving both UK and EU visitors still meets the stricter EU standard for its EU traffic. For a fuller breakdown, read the guide to the DUAA 2025 and cookies and the ICO's 2026 cookie guidance explained.

A compliant banner lets a visitor reject non-essential cookies as easily as they accept them, and sets nothing beyond the exempt categories until they choose. The ICO finalised this position in its April 2026 storage and access technologies guidance.

The ICO expects five things:

  • Equal prominence. A "reject all" option as visible and easy to click as "accept all". A banner that pushes "accept" over "reject" is non-compliant.
  • No pre-ticked boxes. Sliders set to "on" or opt-out defaults for non-essential cookies do not count as consent.
  • No consent by continued browsing. Scrolling or clicking through a page is not agreement.
  • Prior blocking. Non-exempt cookies and tags must not fire before the visitor consents. This is the technical heart of PECR compliance, and the reason a banner that appears after your analytics has already loaded fails.
  • No dark patterns. Hidden reject buttons, confusing wording and nudging all invalidate the consent you collect.

The ICO is reviewing "consent or pay" models separately, so treat that route as unsettled.

Getting equal prominence and prior blocking right is design and engineering work, not a legal footnote. See cookie banner design done right for the layout rules, and how to block Google Analytics until consent for the blocking side.

What are the penalties for getting it wrong?

The DUAA 2025 aligns the maximum PECR fine with the UK GDPR: up to £17.5 million or 4% of global annual turnover, whichever is higher, up from £500,000. It also removes the previous hurdle of proving substantial damage or distress, so the ICO can act on the breach itself. The ICO has said it will issue new PECR enforcement guidance once the new regime is in force.

Enforcement is real. The ICO ran a cookie compliance project against the UK's most-visited sites, took action against Sky Betting and Gaming in 2024 for setting advertising cookies without consent, and reported further compliance gains through 2025. The direction is more scrutiny, not less. The PECR fines guide covers the enforcement record in detail.

How to comply: a short checklist

  1. Audit your cookies. List every cookie, pixel and tag, and record who sets it and why.
  2. Categorise each one. Map it to the table above: exempt, or consent required.
  3. Block non-exempt cookies before consent. Nothing beyond the exempt set should fire on first load.
  4. Show a compliant banner. Equal-prominence accept and reject, no pre-ticked boxes, clear purposes.
  5. Record the consent. Keep a record you can show the ICO: what the visitor saw, what they chose, and when. See how to prove cookie consent.
  6. Send Google Consent Mode v2 signals if you run Google Analytics or Google Ads. See the Google Consent Mode v2 guide.
  7. Re-check when the law moves. UK and EU rules are diverging, so review annually.

Consentfolio runs a PECR-compliant banner, blocks trackers until consent, records provable consent for every domain, and sends Google Consent Mode v2 signals, from a single script tag.

Frequently asked questions

Do I need a cookie banner in the UK? Yes, if your site sets any non-essential cookie, which includes advertising, third-party analytics and most tracking. You only avoid a banner if every cookie you set is exempt. See do I need a cookie banner?.

Has the DUAA 2025 removed the need for a cookie banner? No. It exempted first-party, operator-only analytics and interface preferences on strict conditions. Advertising, marketing and cross-site tracking still need prior consent, so almost every commercial site still needs a banner.

Are Google Analytics cookies exempt now? Usually not. The first-party analytics exception covers analytics used only by you. Google Analytics shares data with Google, which takes a standard setup outside the exception, so consent still applies. Read is Google Analytics GDPR compliant in 2026?.

What makes a "reject all" button compliant? It has to be as prominent and as easy to use as "accept all". A hidden, greyed-out or extra-click reject option fails the ICO's equal-prominence test.

How long is cookie consent valid? UK law sets no fixed period. Common practice is to re-ask every 6 to 12 months, and whenever your cookies materially change. See how long to keep cookie consent records.

Does UK cookie law apply to EU visitors? For EU visitors you meet the EU standard, which the EU has not relaxed. A dual-regime site complies with both. See UK GDPR vs EU GDPR for cookies.


Written by Tudor Rusmanica, founder of Consentfolio. Tudor has spent over a decade in agency SEO, working where search performance meets data protection: the analytics, tagging and consent setups that keep measurement useful and lawful. He writes Consentfolio's guides on cookie consent, UK and EU cookie law, and Google Consent Mode v2. Connect on LinkedIn.

Published 13 July 2026. Last reviewed 13 July 2026 against PECR, the DUAA 2025 and the ICO's April 2026 storage and access technologies guidance. This guide is general information, not legal advice.

Questions? consentfolio.com · This guide is general information, not legal advice.