What’s Changed
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025 and key data protection provisions — including significant changes to the Privacy and Electronic Communications Regulations (PECR) — came into force on 5 February 2026.
For UK organisations, the most immediately practical changes are the introduction of five new categories of cookies and similar technologies that are now exempt from the consent requirement under PECR. This is a notable relaxation of the existing “consent for all non-essential cookies” rule that has been in place since the PECR were amended in 2011.
However, the DUAA also significantly increases PECR penalties and expands the scope of PECR — meaning that getting cookie compliance wrong carries higher risks than before.
For the official ICO guidance on what the DUAA means for organisations, see: ICO: The Data (Use and Access) Act 2025 — what does it mean for organisations?
Who Is Affected
The PECR changes under the DUAA apply to any organisation that:
- Operates a website or app accessible to UK users that uses cookies or similar tracking technologies
- Uses analytics, advertising, or functional technologies on their digital properties
- Sends electronic marketing to individuals (businesses or consumers)
- Processes data via terminal equipment — which now includes the broader concept of “instigating” storage or access (see below)
In practice, this means virtually every UK organisation with a digital presence needs to review its cookie compliance position in light of the DUAA changes.
New Requirements in Detail
Five New PECR Cookie Consent Exemptions
From 5 February 2026, the following categories of cookies and similar technologies no longer require consent under PECR:
| # | Category | Description |
|---|---|---|
| 1 | Analytics cookies | Cookies used solely to collect statistical information about how users interact with a website or app, where this information is used only by the operator of the website or app |
| 2 | Security cookies | Cookies necessary for the security of the service, including detecting malicious activity, fraud prevention, and authentication |
| 3 | Functionality cookies | Cookies that enable the service to remember choices made by the user (such as language preferences, region, or accessibility settings) |
| 4 | Software update cookies | Cookies used to deliver software updates to connected devices or to check whether updates are needed |
| 5 | Interface customisation cookies | Cookies used to customise the user interface of a service (such as font size or colour scheme) |
Important caveats: These exemptions apply only where the cookies in question are used solely for the specified purpose. Analytics cookies that also feed into advertising targeting, for example, would not qualify. Organisations must carefully assess whether their actual cookie use genuinely falls within an exempted category — purpose limitation is key.
For detailed ICO guidance on the new exemptions, see: Clifford Chance: Key aspects of the Data (Use and Access) Act take effect
Expanded PECR Scope — “Instigating” Now Covered
The DUAA expands the scope of PECR beyond organisations that directly set or access cookies. The regime now also covers organisations that “instigate” the storage of or access to information on terminal equipment. This means that if your organisation instructs a third party (such as an analytics provider or advertising platform) to set cookies on your behalf, you may be in scope — even if you do not directly set the cookies yourself.
This expansion catches more organisations and more business models within PECR’s scope. Organisations that use third-party tag managers, marketing platforms, or analytics services should review their arrangements.
For analysis, see: DLA Piper: UK commencement of the data protection provisions in the Data (Use and Access) Act
Significantly Increased PECR Fines
The DUAA raises the maximum PECR fines to UK GDPR levels:
- Up to £17.5 million or 4% of global annual turnover (whichever is higher)
Previously, the maximum PECR fine was £500,000. This 35-fold increase in the maximum penalty makes PECR compliance — including cookie consent — a genuinely high-stakes matter for any organisation.
Formal Complaints Handling Duty
From 19 June 2026, organisations must have a formal data protection complaints procedure in place. This is a new operational requirement: organisations will need to document how they receive, process, and respond to data protection complaints from individuals.
Implementation Timeline
| Milestone | Date |
|---|---|
| DUAA receives Royal Assent | 19 June 2025 |
| Key data protection provisions commence | 5 February 2026 |
| New PECR cookie exemptions take effect | 5 February 2026 |
| PECR fines raised to UK GDPR levels | 5 February 2026 |
| Formal complaints handling duty | 19 June 2026 |
| ICO updated cookie guidance expected | TBC — monitor ico.org.uk |
For a full commencement dates overview, see: Kennedy’s Law: The Data (Use and Access) Act 2025 — commencement dates and planned guidance for 2026
What Managers Need to Do Now
HR Teams
- Update your privacy and data protection policies to reflect the DUAA changes, including the new PECR scope and the complaints handling duty coming into force in June 2026.
- Review intranet and employee-facing platforms that use cookies or analytics — confirm whether existing consent mechanisms need updating to reflect the new exemptions.
- Brief employees on the new complaints handling duty. All staff who interact with data subject requests need to know what to do when a complaint is received.
- Ensure training is current. The DUAA represents a substantive change to UK data protection law — existing UK GDPR and PECR training may need refreshing.
Senior Leadership
- Treat the new PECR fine levels as a board-level risk. At up to £17.5m or 4% of global turnover, PECR violations — including cookie consent failures — now carry the same financial exposure as UK GDPR breaches. Ensure your governance framework reflects this.
- Commission a PECR and cookie audit. In light of the DUAA changes, task your DPO or data protection lead with a review of all cookies and tracking technologies in use, confirming which fall within the new exemptions and which still require consent.
- Establish your complaints procedure now. The June 2026 deadline for a formal complaints handling process is approaching. This requires documented processes, assigned responsibilities, and an audit trail — not just an email inbox.
- Monitor ICO guidance. The ICO has indicated it will issue updated cookie guidance — ensure your organisation is subscribed to ICO updates and that any new guidance is assessed and acted upon promptly.
Marketing
- Review your cookie consent banner and consent management platform (CMP). With the new analytics cookie exemption in force, you may be able to simplify your cookie banner — removing the consent requirement for genuinely first-party analytics cookies. However, this change must be implemented accurately: do not remove consent requirements for cookies that are also used for profiling or advertising.
- Audit your analytics setup. Confirm whether your analytics cookies qualify for the new exemption — particularly if you share analytics data with third parties or use it for purposes beyond statistical analysis of your own site.
- Do not conflate analytics and advertising. The analytics cookie exemption is narrow. Cookies that serve both an analytics function and an advertising targeting function do not qualify. Mixed-purpose cookies still require consent.
- Review your tag manager configuration. The expanded “instigating” scope means that instructions sent via tag managers to third-party advertising and analytics platforms may now bring those third-party activities into your PECR obligations.
- Update your cookie notice. Ensure your published cookie policy accurately reflects which cookies require consent and which are now exempt, and update it promptly when you implement changes.
For a practical overview of what organisations need to do, see: Bird & Bird: UK GDPR — UK privacy reform is finally going live
Related ICO Resources
- ICO: The Data (Use and Access) Act 2025 — what does it mean for organisations?
- ICO: Guidance on cookies and similar technologies — updated guidance expected; check ico.org.uk for the latest version
- ICO: Guide to PECR
Recommended Training
Is your organisation prepared for the DUAA changes? Our UK GDPR & PECR Compliance Training covers the updated cookie consent framework, the DUAA changes, and what your teams need to do to stay compliant. For marketing and digital teams, our Cookie Consent and Digital Privacy for Marketers module provides practical, role-specific guidance on implementing compliant consent mechanisms.
