Cookies remain at the heart of how you measure, market and personalise online experiences. Yet the rules that govern them continue to evolve, shaped by new legislation, active enforcement and growing expectations around user trust.
If you’re responsible for marketing, product, technical development or legal decisions in a scaling UK business, cookie compliance is not just a legal tick-box – it’s a cornerstone of how your brand earns confidence and credibility online. The Information Commissioner’s Office (ICO) has made it clear that consent practices are under the microscope, while the Data (Use and Access) Act 2025 (DUA Act) introduces the most significant updates to the UK’s data protection landscape in years.
If you need hands-on support to set your consent strategy, draft clear banner and preference wording, refresh your cookie and privacy policies, or prepare for the DUA Act rollout, our data protection solicitors can help you build a compliant and practical approach that fits your business.
We’ll consider the following:
- Understanding the legal framework
- When and how consent is required
- What a compliant banner looks like
- Analytics, advertising and social tracking
- Applying the rules beyond websites
- The DUA Act and what changes next
- Serving users in the EU
- Preparing for enforcement and audits
- Designing for trust, not just compliance
- How we can help
Understanding the legal framework
Three laws form the backbone of the UK’s cookie regime:
- The first is the Privacy and Electronic Communications Regulations (PECR), which govern any technology that stores or accesses information on a user’s device. If your website, app or connected service sets cookies, pixels or software development kits (SDKs), PECR applies.
- Next comes the UK GDPR, which governs what happens once those technologies begin to process personal data – for example, when analytics or advertising tools start to build user profiles.
- Finally, there is the DUA Act 2025, which updates both PECR and the UK GDPR. It does not replace them, but it does raise the maximum penalties for breaches to GDPR levels and introduces new powers to clarify when certain low-risk analytics tools might be used without consent. Those exemptions are not yet active, so until the ICO issues formal guidance, the current consent rules still apply.
Together, these laws determine when you can track users, what information you must give them, and how you must record and manage their consent. For a plain-English introduction, see our explainer on PECR for business.
When and how consent is required
The rule of thumb is clear: unless a cookie is strictly necessary for the service a user has requested – for example, keeping items in a shopping basket or maintaining a login session – you must obtain the user’s opt-in consent before setting it.
Consent must be a real choice. The ICO expects it to be freely given, informed and easy to refuse. Scrolling or continuing to browse does not count. Nor does hiding the 'reject' option behind extra clicks. The standard is now well-established: people must be able to accept or reject non-essential cookies with equal prominence, and they must be able to withdraw their consent later just as easily.
The regulator has repeatedly warned against 'dark patterns' that nudge users towards acceptance. In 2023, the ICO and the Competition and Markets Authority (CMA) published a joint paper oh harmful designs that set out why fair and balanced consent interfaces are essential for compliance.
For clarity on what valid consent looks like under the UK GDPR, the ICO’s guidance on consent remains the key reference.
What a compliant banner looks like
A compliant cookie banner does more than meet legal tests; it signals transparency. The first layer should clearly explain what you want to set and why, giving people the chance to accept or reject all non-essential cookies immediately. The second layer – your preferences centre – should offer more detail about the types of cookies in use and the specific third parties involved.
Non-essential cookies, such as analytics and advertising tags, should not fire until the user has actively consented. Withdrawal of consent should be possible at any time, ideally through a visible control that allows users to revisit their preferences. This balance between clarity and control is now a key focus for the ICO and the CMA. Their position paper on harmful design highlights that fair presentation of options is not only good practice but a compliance requirement.
Analytics, advertising and social tracking
Many businesses hope that analytics cookies might be exempt from the consent requirement, but under current ICO guidance, they are not. Even if analytics are limited to first-party data or run through a server-side setup, the ICO still treats them as non-essential unless they are genuinely required for a service. Until the government confirms new exceptions under the DUA Act, you should continue to seek consent before collecting analytics data.
Advertising and social-tracking technologies attract even closer scrutiny. Anything that profiles users, follows them across sites or builds lookalike audiences almost always needs consent in advance. “Legitimate interests” cannot justify setting or reading these cookies under PECR, and relying on it for subsequent data processing is rarely defensible when consent is the more appropriate basis.
Applying the rules beyond websites
The same principles extend beyond web browsers. Mobile apps connected TVs, and other smart devices also fall within PECR. Software development kits (SDKs) that store identifiers or read device information are treated as cookies for legal purposes, and fingerprinting techniques that identify devices without storing traditional cookies are equally in scope.
In practice, your consent experience should be consistent across platforms. Users should see the same clarity and have the same control, whether they’re on a website, a mobile app or another digital interface. For deeper practical guidance, our article on data privacy for app developers provides deeper practical guidance.
The DUA Act and what changes next
The DUA Act received Royal Assent in June 2025, and its provisions are being phased in over the coming months. The most immediate impact for businesses is the increase in potential fines under PECR, bringing them into line with the UK GDPR. The government also intends to introduce targeted exemptions for certain low-risk analytics and service-improvement tools, but these changes will only take effect once secondary legislation and updated ICO guidance are published.
For now, the safest approach is to continue following existing ICO standards and monitor updates as the DUA framework is implemented. The ICO’s overview of what PECR covers and its UK GDPR hub are essential references, and you can verify status and timings directly via the DUA Act and the commencement plan. But, as always, legal advice is always recommended to ensure you apply the law correctly.
Serving users in the EU
If your website or app attracts visitors from the EU or EEA, UK changes will not affect your obligations to those users. The EU ePrivacy Directive and EU GDPR continue to require consent for most analytics and advertising cookies, and European regulators interpret “cookies” broadly to include pixels, SDKs and other tracking technologies.
For clarity on the European position, see the European Data Protection Board’s Guidelines 2/2023. Many UK businesses therefore maintain a dual regime: one for UK users, reflecting domestic guidance, and one for EU users, aligned with EU law.
Preparing for enforcement and audits
The ICO has signalled that active review and enforcement is increasing as it tackles cookie compliance across the UK’s top 1,000 websites. Businesses should expect audits and spot checks, especially where banners are unclear, or “reject” options are buried. Now is the time to review your setup: map every tag, cookie and SDK; check whether they fire before consent; ensure your cookie and privacy policies match what happens in practice; and update vendor contracts to reflect current responsibilities.
Record-keeping is equally important. Maintain logs of consents given, document your lawful bases for processing and make sure changes to your technology stack are reviewed before they go live. If you want a structured way to begin, explore our Data Protection Health Check, which helps you benchmark and prioritise compliance improvements.
Designing for trust, not just compliance
At its heart, cookie compliance is about respect – giving people genuine control over how their data is used. A well-designed consent experience is not only safer from an enforcement perspective but better for your brand. When users can understand what you’re doing, act on a clear choice and return later to change their mind without friction, they’re more likely to engage and less likely to complain.
Transparency builds confidence, and confidence builds loyalty.
How we can help
Our data protection solicitors work closely with marketing, product and technical development teams to turn legal requirements into clear, user-friendly practice. We can help you set your consent strategy, draft plain-English wording, refresh your cookie and privacy policies, complete Data Protection Impact Assessments and Records of Processing Activities, and renegotiate vendor terms as the DUA Act takes effect.
If you’d like to make cookie compliance straightforward, practical and future proof, get in touch with us.
