PECR

ICO Updates Cookie Consent Rules Under the Data (Use and Access) Act — What Organisations Need to Do Now

Scott Dooley
6 min read · Apr 4, 2026 Last updated: April 7, 2026

What’s Changed

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025 and key data protection provisions — including significant changes to the Privacy and Electronic Communications Regulations (PECR) — came into force on 5 February 2026.

For UK organisations, the most immediately practical changes are the introduction of three new categories of cookies and similar technologies that are now exempt from the consent requirement under PECR. This is a notable relaxation of the existing “consent for all non-essential cookies” rule that has been in place since the PECR were amended in 2011.

However, the DUAA also significantly increases PECR penalties and expands the scope of PECR — meaning that getting cookie compliance wrong carries higher risks than before.

For the official ICO guidance on what the DUAA means for organisations, see: ICO: The Data (Use and Access) Act 2025 — what does it mean for organisations?

Who Is Affected

The PECR changes under the DUAA apply to any organisation that:

  • Operates a website or app accessible to UK users that uses cookies or similar tracking technologies
  • Uses analytics, advertising, or functional technologies on their digital properties
  • Sends electronic marketing to individuals (businesses or consumers)
  • Processes data via terminal equipment — which now includes the broader concept of “instigating” storage or access (see below)

In practice, this means virtually every UK organisation with a digital presence needs to review its cookie compliance position in light of the DUAA changes.

New Requirements in Detail

Three New PECR Cookie Consent Exemptions

From 5 February 2026, the following categories of cookies and similar technologies no longer require consent under PECR:

# Category Description
1 Statistical (analytics) cookies Cookies used solely to collect statistical information about how users interact with a website or app, where this information is used only by the operator of the website or app
2 Appearance (interface customisation) cookies Cookies used to customise or adapt the display of a service to user preferences (such as font size, colour scheme, or accessibility settings)
3 Emergency assistance cookies Cookies used to identify the location of a user for the purpose of providing emergency assistance (e.g. emergency services geolocation)

Important caveats: These exemptions apply only where the cookies in question are used solely for the specified purpose. Analytics cookies that also feed into advertising targeting, for example, would not qualify. Organisations must carefully assess whether their actual cookie use genuinely falls within an exempted category — purpose limitation is key.

For detailed ICO guidance on the new exemptions, see: Clifford Chance: Key aspects of the Data (Use and Access) Act take effect

Expanded PECR Scope — “Instigating” Now Covered

The DUAA expands the scope of PECR beyond organisations that directly set or access cookies. The regime now also covers organisations that “instigate” the storage of or access to information on terminal equipment. This means that if your organisation instructs a third party (such as an analytics provider or advertising platform) to set cookies on your behalf, you may be in scope — even if you do not directly set the cookies yourself.

This expansion catches more organisations and more business models within PECR’s scope. Organisations that use third-party tag managers, marketing platforms, or analytics services should review their arrangements.

For analysis, see: DLA Piper: UK commencement of the data protection provisions in the Data (Use and Access) Act

Significantly Increased PECR Fines

The DUAA raises the maximum PECR fines to UK GDPR levels:

  • Up to £17.5 million or 4% of global annual turnover (whichever is higher)

Previously, the maximum PECR fine was £500,000. This 35-fold increase in the maximum penalty makes PECR compliance — including cookie consent — a genuinely high-stakes matter for any organisation.

Formal Complaints Handling Duty

From 19 June 2026, organisations must have a formal data protection complaints procedure in place. This is a new operational requirement: organisations will need to document how they receive, process, and respond to data protection complaints from individuals.

Implementation Timeline

Milestone Date
DUAA receives Royal Assent 19 June 2025
Key data protection provisions commence 5 February 2026
New PECR cookie exemptions take effect 5 February 2026
PECR fines raised to UK GDPR levels 5 February 2026
Formal complaints handling duty 19 June 2026
ICO updated cookie guidance expected TBC — monitor ico.org.uk

For a full commencement dates overview, see: Kennedy’s Law: The Data (Use and Access) Act 2025 — commencement dates and planned guidance for 2026

What Managers Need to Do Now

HR Teams

  • Update your privacy and data protection policies to reflect the DUAA changes, including the new PECR scope and the complaints handling duty coming into force in June 2026.
  • Review intranet and employee-facing platforms that use cookies or analytics — confirm whether existing consent mechanisms need updating to reflect the new exemptions.
  • Brief employees on the new complaints handling duty. All staff who interact with data subject requests need to know what to do when a complaint is received.
  • Ensure training is current. The DUAA represents a substantive change to UK data protection law — existing UK GDPR and PECR training may need refreshing.

Senior Leadership

  • Treat the new PECR fine levels as a board-level risk. At up to £17.5m or 4% of global turnover, PECR violations — including cookie consent failures — now carry the same financial exposure as UK GDPR breaches. Ensure your governance framework reflects this.
  • Commission a PECR and cookie audit. In light of the DUAA changes, task your DPO or data protection lead with a review of all cookies and tracking technologies in use, confirming which fall within the new exemptions and which still require consent.
  • Establish your complaints procedure now. The June 2026 deadline for a formal complaints handling process is approaching. This requires documented processes, assigned responsibilities, and an audit trail — not just an email inbox.
  • Monitor ICO guidance. The ICO has indicated it will issue updated cookie guidance — ensure your organisation is subscribed to ICO updates and that any new guidance is assessed and acted upon promptly.

Marketing

  • Review your cookie consent banner and consent management platform (CMP). With the new analytics cookie exemption in force, you may be able to simplify your cookie banner — removing the consent requirement for genuinely first-party analytics cookies. However, this change must be implemented accurately: do not remove consent requirements for cookies that are also used for profiling or advertising.
  • Audit your analytics setup. Confirm whether your analytics cookies qualify for the new exemption — particularly if you share analytics data with third parties or use it for purposes beyond statistical analysis of your own site.
  • Do not conflate analytics and advertising. The analytics cookie exemption is narrow. Cookies that serve both an analytics function and an advertising targeting function do not qualify. Mixed-purpose cookies still require consent.
  • Review your tag manager configuration. The expanded “instigating” scope means that instructions sent via tag managers to third-party advertising and analytics platforms may now bring those third-party activities into your PECR obligations.
  • Update your cookie notice. Ensure your published cookie policy accurately reflects which cookies require consent and which are now exempt, and update it promptly when you implement changes.

For a practical overview of what organisations need to do, see: Bird & Bird: UK GDPR — UK privacy reform is finally going live

Related ICO Resources

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. Does WordPress Use Cookies? A Complete Guide to Cookie Compliance
  2. Does my business need to prepare for changes to Data Protection in the UK via the Data (Use and Access) Act 2025?
  3. The most common cookie banner mistakes and how to fix them
  4. UK Data Use and Access Act: What Changes on 5 February 2026 and How to Prepare
  5. £300,000 ICO Penalty for Illegal Automated Marketing Calls: Home Improvement Marketing Ltd Case Analysis

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR