Get started

Cookie Consent Changes Under the DUAA — What's Shifting in 2026

regulatory-update 8 min read Updated 2026-03-23

Cookie Consent Changes Under the DUAA — What’s Shifting in 2026

The Data Use and Access Act 2025 (DUAA) commenced in February 2026 with significant changes to UK cookie law. The key update: PECR (which governs cookie placement) now includes five new exemptions from the consent requirement, and penalties for cookie violations increased from £500,000 to £17.5M or 4% of worldwide turnover.

This is a mixed picture. The new exemptions reduce the scope of cookies requiring consent, which theoretically makes compliance easier. But the penalty increase signals that enforcement is about to get stricter. And the exemptions are narrower than many businesses assume — most won’t qualify.

Here’s what changed and what you need to know.

The Five New DUAA Exemptions

The DUAA introduced five new exceptions to PECR’s consent requirement. Cookies meeting these criteria no longer require prior consent.

1. Analytics Cookies (Aggregate Statistics Only)

The exemption: Analytics cookies that process only aggregate statistics, with clear explanation and free opt-out, don’t require prior consent.

The catch: “Aggregate statistics only” is narrow. It means the analytics tool cannot track individual user journeys, set persistent identifiers for users, or enable retargeting. Most analytics tools don’t qualify.

Examples that might qualify:

  • Plausible Analytics (aggregate-only, no individual tracking)
  • Fathom Analytics (aggregate-only)
  • Matomo if configured for server-side processing with no individual tracking

Examples that do NOT qualify:

  • Google Analytics 4 (GA4) — sets persistent identifiers (_ga, _gid), tracks individual user journeys, enables remarketing
  • Adobe Analytics — tracks individual users
  • Hotjar — tracks individual user behavior and creates recordings
  • Any tool that creates user profiles or enables retargeting

If you use standard Google Analytics, this exemption doesn’t apply. You still need consent.

The burden is on you to prove your analytics tool meets all three conditions. If you can’t, consent is required.

2. Security Cookies

The exemption: Cookies used to detect, prevent, or mitigate fraud, security attacks, or unauthorized access don’t require prior consent.

What this covers: CSRF protection tokens, bot detection, DDoS mitigation, rate limiting, and similar security measures.

Examples: Login security tokens, Cloudflare security cookies, AWS WAF cookies, rate-limiting mechanisms.

Key point: These must be genuinely necessary for security. A cookie labeled “security” that’s actually used for analytics doesn’t qualify.

3. Functionality Cookies

The exemption: Cookies that enable or improve site functionality don’t require prior consent, provided they don’t process personal data for other purposes.

What this covers: Language preferences, accessibility settings (font size, high contrast mode), form state (shopping cart items, saved form data), site layout preferences.

What doesn’t qualify: A “functionality” cookie that also tracks user behavior, builds user profiles, or enables marketing. Once personal data is processed for marketing purposes, the exemption ends.

Examples that qualify: Language selector, accessibility toggle, shopping basket state.

4. Software Update Cookies

The exemption: Cookies used only for software updates or patches don’t require prior consent.

What this covers: Update checking, patch delivery, version management.

Key point: This is rare in typical website scenarios. More relevant for app-based services.

5. Interface Customization Cookies

The exemption: Cookies that remember user interface preferences (appearance, layout, theme) don’t require prior consent.

What this covers: Dark mode toggle, sidebar collapse state, column width preferences, theme selection.

What doesn’t qualify: Customization cookies that also track behavior. Once they’re used for purposes beyond interface customization, they require consent.

The Catch: Narrow Conditions Apply to All Five

For each exemption, three conditions must be met:

  1. Genuine necessity. The cookie must be genuinely necessary for the stated purpose. You can’t classify a marketing cookie as “functional” just to avoid consent.

  2. Clear explanation. Users must understand what the cookie does. This requires prominent disclosure, not buried in a privacy policy.

  3. Free opt-out. Users must be able to opt out easily, and opting out must not reduce functionality (except for security measures, where opting out may reduce security).

If any condition fails, consent is required.

If your site uses:

  • Google Analytics (GA4) — Consent required
  • Facebook Pixel — Consent required
  • HubSpot analytics — Consent required
  • Google Ads retargeting — Consent required
  • LinkedIn tracking — Consent required
  • Email service provider tracking — Consent required

You still need consent for all of these. The five new exemptions don’t apply to standard marketing and analytics tools.

The exemptions help primarily with:

  • Aggregate analytics platforms (Plausible, Fathom)
  • Security implementations (bot detection, fraud prevention)
  • Accessibility and UI customization
  • Software updates (mostly app-based)

If you’re relying on one of the exemptions, document why your cookie qualifies. If the ICO investigates and you can’t prove all three conditions are met, you’re in breach.

Penalties Increased Significantly

Before February 2026: PECR violations could attract fines up to £500,000.

After February 2026: PECR violations now attract the same penalties as UK GDPR breaches: up to £17.5M or 4% of worldwide turnover, whichever is higher.

This is a 35x increase for large businesses and signals a shift in enforcement posture.

What triggers enforcement?

  • Customer complaints about pre-consent tracking
  • Proactive ICO investigation (increasingly likely post-DUAA)
  • Third-party reports or campaigns highlighting cookie violations
  • Scope of violation (larger sites and more severe breaches receive higher fines)

For SMEs, the immediate risk isn’t a multi-million-pound fine. It’s a complaint-triggered investigation, which means:

  • ICO sends an information notice (you must respond within 30 days)
  • Investigation may reveal other data protection failures
  • If breach is confirmed, you face a remediation order
  • Reputational damage from regulatory involvement

New Liability Rules: “Instigators” Are Now Liable

The DUAA holds “instigators” of cookie violations directly liable. An instigator is someone who instructs or encourages a violation — typically third-party vendors (AdTech providers, social networks, ad networks).

What this means: If you use Facebook Pixel and Facebook hasn’t implemented proper consent blocking on its side, Facebook is now directly liable alongside you. This doesn’t exempt you, but it makes enforcement against large platforms more likely.

For SMEs, the practical effect is limited. You’re still liable for your own site’s compliance.

Section 103: Formal Complaints Procedure (19 June 2026)

Section 103 of the DUAA requires organizations to establish a formal complaints procedure for data subjects. This takes effect on 19 June 2026.

What you need:

  • A published complaints procedure
  • A designated contact or email for data subject complaints
  • A process for recording and investigating complaints
  • A timeline for responses (usually 30 days)

A simple addition to your privacy policy will suffice. Example: “If you have concerns about our use of cookies or personal data, email [contact email] with details. We will investigate and respond within 30 days.”

This is a low-lift requirement but a statutory obligation from June 2026.

The DUAA introduces a framework for browser-level and device-level consent signals. The idea: instead of per-website cookie banners, users set consent preferences at the browser level, and websites read that signal.

Expected timeline: Framework expected by June 2026, but full implementation depends on browser vendors.

What this means for you: In the future, you may not need a per-site cookie banner if the user’s browser sends a valid consent signal. However, this is years away. For now, you still need a cookie banner.

What to do: Plan for this but don’t rely on it. Continue building compliant consent mechanisms. When browser-level signalling matures, you can reduce reliance on per-site banners.

Practical Implications

If Your Current Setup Is Compliant

You’re in a better position. The five exemptions don’t reduce your obligations (most won’t apply), but they clarify what was already expected. Continue quarterly audits and maintain documentation of your compliance approach.

If Your Current Setup Is Non-Compliant

The February 2026 changes increase your urgency, not your workload. Non-compliance is the same problem; enforcement is now more likely. Fix the fundamentals:

  1. Stop pre-consent tracking. Ensure non-essential cookies don’t fire before the user consents.
  2. Implement genuine choice. “Reject all” must be as prominent as “Accept all.”
  3. Update your policy. List each cookie with purpose, provider, and duration.
  4. Enable withdrawal. Add a persistent preference link.

These steps cost the same before and after the DUAA. The difference is enforcement likelihood.

If You’re Considering an Analytics Exemption

Document your compliance approach. Keep records showing:

  • Your analytics tool processes only aggregate statistics (or security cookies, or functional cookies, etc.)
  • How users understand this (what disclosure you provide)
  • How users can opt out
  • Evidence that the tool actually meets these conditions

If you can’t provide this documentation, don’t rely on the exemption.

Timeline

DateEventAction
February 2026DUAA Part 5 in forceFive exemptions take effect, £17.5M fines active
19 June 2026Section 103 takes effectFormal complaints procedure required
June 2026DUAA full implementation expectedBrowser-level consent signalling framework
OngoingICO enforcement evolvingExpect increased scrutiny of pre-consent tracking

What to Do Now

  1. Review your current consent mechanism. Does it block pre-consent scripts? Does it offer genuine choice?

  2. Assess the five exemptions. Do any apply to your cookies? If you think analytics qualifies, document why.

  3. Update your complaints procedure. Add one to your privacy policy if you don’t have it already. This is required by 19 June 2026.

  4. Plan for browser-level signalling. It’s not happening yet, but it’s coming. Don’t redesign your consent mechanism around it, but be aware it’s on the horizon.

  5. Document your compliance approach. Keep records of your audit, your consent configuration, your cookie policy, and any exemptions you’re relying on.

For a comprehensive audit of your site’s cookie compliance under the updated DUAA rules, Bartram Web screens your site against current PECR standards and flags gaps. To stay informed about DUAA and other regulatory updates, subscribe to our fortnightly newsletter.

Updated 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

Your Cookie Banner Probably Isn't Compliant — Here's Why

The most common cookie banner failures: decorative banners, no genuine choice, pre-consent tracking, missing policies. Why having a banner doesn't mean you're compliant.

Read article →

Cookie Audit Checklist — 12 Things to Check on Your Website

12-item checklist to audit your site's cookie compliance: pre-consent loading, genuine choice, banner functionality, policy completeness, withdrawal rights, and more.

Read article →

What's Really Loading on UK Websites — The Tracker Research

What the ICO, academic research, and industry audits reveal about tracker and cookie compliance on UK websites. We've compiled the findings to show you where compliance is failing and what it means.

Read article →