Storage and access technologies (‘cookies’ to most people) remain a top priority for regulators in the EU and UK. Enforcement activity is constantly on the rise, and the combination of new guidance and legislative change continue to reshape the compliance landscape. The recent entry into force of the Data (Use and Access) Act 2025 (DUAA) in the UK brings some clarity to particular use cases, alongside also some new challenges for organisations to address (particularly from a UX perspective) which will require close coordination between in-house legal teams and their product and web engineers. Take a look at the following quick summary, or, if you don't have time, check out the table below for an even quicker snapshot.

Consent or ‘Strictly Necessary’?

The rules governing cookies in the UK and EU began life in the ePrivacy Directive (transposed into UK law through the PECR, or the Privacy and Electronic Communications Regulations 2003 if you’re being more formal).  Under this regime, cookies can only be stored on a user’s device if

1. GDPR-style consent has been obtained;
2. required for the transmission of a communication; or
3. strictly necessary for the provision of a service requested by the user.

In practice, this means that most cookies, especially those used for analytics, advertising or personalisation purposes, are wholly reliant upon user consent.

Changes under the DUAA

The DUAA doesn’t completely rewrite the UK’s cookie rules, but it does add some complexity to rules which are already fairly opaque and subject to a wide degree of interpretation:

• Clarifying ‘strictly necessary’: The DUAA provides a non-exhaustive list of examples of strictly necessary cookies. This includes cookies used to protect user data, ensure device security, prevent fraud or technical faults, support authentication or remember user inputs. While these examples largely reflect existing practice, their codification offers welcome confirmation.
• New exemptions: The most significant change (which we expect to require some clever CMP rejigging) is the introduction of three new categories of cookies below which, on the face of it, appear similar in nature to the types of cookies many organisations would consider as falling into the strictly necessary bucket:
  • Emergency assistance: Cookies used to determine a user’s location if they request emergency assistance. No consent is required here, so we think this can be treated in the same manner as a strictly necessary cookie. 
  • Statistical purposes: Cookies used to collect information for statistical purposes, such as website analytics. Again, no consent is required here, these cookies may instead be provided on an opt-out basis.
  • Appearance: Cookies used to adapt or enhance website/app appearance or functionality based on a user’s preferences, such as choosing a specific language or font size. As with statistics, no consent is required but users must be given the opportunity to opt-out from these cookies being dropped on their devices.

What does this mean in practice?

The introduction of the new opt-out style of cookie creates a bit of a headache for users and engineers alike. Being able to provide meaningful yet succinct information on the ways these cookies operate, in a way that doesn't seriously impede the user experience, is going to be a huge challenge:

UX implications

This new model will have a significant impact on how organisations design their cookie banners and user interfaces. Adapting to the approach outlined above will require more sophisticated consent management solutions, particularly if an opt-out model is implemented for certain cookies and others require consent. This new three tier system is also likely to be disappointing news to many, given the general trend in recent years of categorising lower risk analytics cookies as strictly necessary (especially in view of recent guidance in Spain and France). The ICO has already published draft guidance on the new rules which is out for consultation until 26 September 2025 – feedback can be submitted here or via email to StorageAndAccess@ico.org.uk. What isn’t yet clear is when the new rules will come into force (although we expect it to be early-mid 2026, as the new guidance isn’t due to be finalised until winter 2025).

The enforcement stakes are higher than ever

Non-compliance with PECR will no longer max out at a £500,000 fine. Instead, organisations could now face penalties as high as £17.5 million or 4% of global annual turnover, whichever is greater. In other words, the stakes for getting it wrong have never been higher – aligning PECR sanctions squarely with those under the UK GDPR.

Key takeaways 

• The UK’s DUAA introduces a more nuanced approach, allowing certain cookies to be set without consent if users can opt out.
• Once the draft guidance is finalised, organisations should review and update their cookie banners and consent mechanisms to reflect the new three-tiered model. This may mean that some cookies need to be re-categorised to reflect the new exemptions under the UK law (security, fraud, remembering user inputs etc).
• There is still time to plan an appropriate approach, as the new cookie rules will only take effect once implemented through secondary legislation, which as mentioned above is unlikely to be until 2026. We hope by this time that there will be clear guidance on how organisations can design and publish cookie banners which are both user and business friendly.
• As a reminder, in the EU the rules remain as they were, but in certain jurisdictions regulators are growing increasingly comfortable with the notion of certain analytics and measurements falling within the ‘strictly necessary’ confines.