It simply happened as the Data (Use and Access) Act 2025 (DUAA) brought most of its PECR reforms into force. If your cookie setup was last reviewed under the old £500K ceiling, the risk exposure it carries has multiplied by 35.
Your legal team may have flagged the DUAA during its passage through Parliament, but the PECR-specific changes are operationally distinct from the broader data protection reforms: they are in force now, they apply to every website with UK users, and most of the implementation guidance only landed in mid-2026. This article covers exactly what changed, what still requires consent, and the steps your compliance or marketing team needs to take before the next ICO audit cycle.
Key takeaways
- Four categories of cookies are now exempt from the prior-consent requirement under PECR: analytics, functionality, security, and software update cookies — but each exemption has strict conditions that must all be met simultaneously.
- The analytics exemption is not a blanket permission for GA4 or any third-party measurement tool. It applies only when data stays on your own website, is not shared with any third party, does not cross-track users, and you provide a clear opt-out mechanism at all times.
- The PECR fine cap increased from £500,000 to £17.5 million or 4% of global annual turnover (whichever is greater), bringing cookie enforcement to the same level as UK GDPR enforcement.
What changed on February 5, 2026
The DUAA received Royal Assent on June 19, 2025. The data protection and PECR provisions were brought into force in stages, with the most significant cookie changes taking effect on February 5, 2026, via the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026.
Before that date, UK PECR required prior, informed consent for all non-essential cookies, with no categorical exemptions beyond strictly necessary cookies. The DUAA inserts Schedule A1 into PECR, creating four new exempt categories:
| Cookie category | Exempt from prior consent? | Key condition |
|---|---|---|
| Analytics / statistical | Yes | Own-site only, no third-party sharing, opt-out provided |
| Functionality | Yes | Only enhances user experience, not used for targeting |
| Security | Yes | Solely detects malicious activity or verifies authenticity |
| Software update | Yes | Only delivers or verifies software updates |
| Advertising / targeting | No | Consent still required |
| Social media tracking | No | Consent still required |
| Cross-site profiling | No | Consent still required |
The last three rows have not changed. The DUAA did not touch the consent requirement for advertising, retargeting, or any cross-context tracking technology. If you load Meta Pixel, Google Ads remarketing tags, or LinkedIn Insight Tag, you still need prior consent. For a full breakdown of what counts as a non-essential cookie and how to implement consent for each category, the GDPR cookie consent implementation guide covers the technical and legal requirements that apply regardless of whether you are on the UK or EU framework.
The analytics exemption in detail
The analytics exemption is the one most organizations will try to use, and it is the one most likely to be misapplied. The ICO has set four conditions, and all four must be met simultaneously:
- Own-website only. The analytics tracking must measure activity on your own website or app. Tools that aggregate data across multiple domains, send data to a network, or are operated by a third party on your behalf do not qualify, even if the data nominally flows back to you.
- No cross-site tracking. The cookie must not follow users across other websites or apps. Any identifier that persists beyond your own domain is out of scope.
- No third-party sharing. The data collected must not be shared with any third party, including analytics vendors, advertising networks, or measurement partners. A standard GA4 implementation sends data to Google's servers. That is third-party data sharing. GA4 does not qualify for the exemption unless you are running a fully self-hosted, first-party analytics solution where data never leaves your infrastructure.
- Opt-out mechanism. Users must be able to opt out of analytics tracking at any time. The opt-out must be clear, visible, free, and accessible without navigating through multiple steps. This is not a banner interaction — it must be a persistent, accessible control, not just something buried in your privacy policy.
The practical consequence: most off-the-shelf analytics implementations, including standard GA4, Adobe Analytics, and Matomo in cloud mode, do not meet conditions 1 and 3 simultaneously. Organizations that assumed the DUAA's analytics exemption solved their consent banner problem for measurement tools need to reassess.
A first-party analytics solution — where all data is processed on infrastructure you control, under your own domain, with no external vendor receiving the raw event stream — can qualify. But confirming that requires a technical review of your specific setup, not an assumption.
The complaints procedure: in force since June 19, 2026
A second DUAA change that took effect more recently affects all organizations processing UK personal data. From June 19, 2026, one year after Royal Assent, organizations must have a formal data protection complaints procedure in place before individuals can escalate to the ICO.
The procedure must include:
- A submission mechanism — a web form or email address where individuals can submit data protection complaints
- Formal acknowledgment of every complaint received
- A substantive response or status update within 30 days
- Records of all complaints and how each was handled
This requirement changes the ICO complaints pathway. Previously, an individual unhappy with a cookie consent implementation could go directly to the ICO. Now they must first submit a complaint to the organization and wait for the 30-day response window before the ICO will consider the matter. For compliance teams, this means your complaints inbox is now a formal regulatory function, not a customer service channel.
UK vs EU: what diverges now
The DUAA creates meaningful divergence from the EU's GDPR and ePrivacy Directive. Organizations operating in both markets need to track the split.
| Requirement | UK (PECR + DUAA) | EU (GDPR + ePrivacy) |
|---|---|---|
| Analytics cookies | Exempt with opt-out (if conditions met) | Consent required |
| Functionality cookies | Exempt | Consent required if non-essential |
| Security cookies | Exempt | Consent required if not strictly necessary |
| Max cookie fine | £17.5M / 4% turnover | €20M / 4% turnover |
| Consent for advertising | Still required | Still required |
| Pre-complaint escalation to regulator | Required (30-day window) | Not required |
If you operate a single consent management platform for both UK and EU users, the safe approach is to continue applying the EU standard to all users — consent-by-default for analytics. The DUAA exemption creates an option to simplify UK-only flows, not a mandate to remove consent from your EU implementation.
Two less-noticed DUAA changes that affect more organizations than the exemptions
Expanded PECR scope ("instigate"). The DUAA amends PECR to cover not just organizations that directly set or access cookies, but also those that "instigate" the storage of or access to information on a user's terminal equipment. This change catches organizations that fire cookies through third-party tag managers or affiliate pixels that act technically on behalf of another party. If your tag management setup triggers third-party cookies, you are in scope regardless of who technically executes the set operation.
Multi-purpose cookie conflicts. A cookie that qualifies for one of the DUAA exemptions loses that exempt status if it simultaneously serves a non-exempt purpose. An analytics cookie that also feeds data into an advertising targeting model does not qualify for the analytics exemption, even if the primary use is statistical. If the same cookie or technology performs both an exempt and a non-exempt function, consent is required. Review your cookie inventory for dual-purpose identifiers before relying on any exemption.
What your compliance team needs to review
If you run analytics on UK users: Audit whether your analytics setup meets all four DUAA conditions. If it does not, continue treating analytics cookies as requiring consent. If it does, update your cookie notice to disclose the analytics use and add a visible, persistent opt-out mechanism — the exemption does not remove your notice obligation, it removes the pre-consent requirement.
If you have not updated your cookie notice since January 2026: Add the new exempt categories (analytics, functionality, security, software update), clarify which of your actual cookies fall into each category, and make clear which cookies still require consent.
For your complaints handling: Ensure you have a documented procedure in place, a submission mechanism (web form or email), and a process for logging, responding within 30 days, and retaining records. This is now a legal requirement, not a best practice.
Review your fine exposure: The £17.5M ceiling applies to PECR violations including cookie consent failures. Your risk assessment for cookie compliance should be updated to reflect the new enforcement ceiling before the ICO's next audit cycle.
Secure Privacy's Cookie & Consent Solution supports UK-specific consent configurations, including separate UK and EU consent flows, opt-out mechanism management, and audit-ready consent records. Organizations running a combined UK/EU implementation can segment consent logic by jurisdiction without maintaining two separate banner deployments.
For a detailed breakdown of what your cookie notice must contain under both PECR and UK GDPR, the UK GDPR cookie consent guide covers the full disclosure requirements.
Frequently asked questions
Does the DUAA analytics exemption apply to GA4?
Standard GA4 does not qualify. GA4 sends event data to Google's servers, which constitutes third-party data sharing. The exemption requires that analytics data is not passed to any third party. A fully self-hosted first-party analytics solution where data never leaves your own infrastructure can qualify, but standard cloud-based GA4 and most enterprise analytics platforms do not.
Do we still need a cookie banner for UK users after the DUAA?
Yes, for any cookies that still require consent — advertising, targeting, and cross-site tracking cookies are unaffected by the DUAA and still require prior consent. The DUAA reduces the number of cookies requiring pre-consent, but it does not eliminate the consent requirement for non-essential tracking technologies.
What does the opt-out requirement mean if we use the analytics exemption?
You must provide a clear, accessible mechanism that lets users disable analytics tracking at any time without cost or complexity. This is not satisfied by a link to your privacy policy. The ICO expects a persistent, visible control — such as a preference center or an in-page opt-out toggle — that users can access on any visit without having to search for it.
Our consent banner was last reviewed in 2024. What specifically needs to change?
Update your cookie inventory and categorization to reflect the DUAA exempt categories. Update your cookie notice to accurately describe which cookies require consent and which are now exempt (and under what conditions). Verify your fine-exposure estimate reflects the new £17.5M ceiling. Add a formal data protection complaints procedure with a 30-day response commitment and a documented record-keeping process.
Does the DUAA apply to non-UK companies that have UK website visitors?
Yes. PECR applies to any organization placing cookies or similar technologies on the devices of UK-based users, regardless of where the organization is established. The DUAA's changes to PECR carry the same territorial scope.
How does the 30-day complaints procedure interact with Subject Access Requests?
The complaints procedure is separate from the DSAR process. The 30-day complaints window applies to data protection complaints. SARs continue to have their own one-month response deadline under UK GDPR Article 12. An individual submitting both a complaint and a SAR simultaneously triggers both timelines independently.




