Cookies remain at the heart of how you measure, market and personalise online experiences – making UK cookie consent compliance essential. Yet the rules that govern them continue to evolve, shaped by new legislation, active enforcement and growing expectations around user trust.
If you’re responsible for marketing, product, technical development or legal decisions in a scaling UK business, cookie compliance is not just a legal tick-box – it’s a cornerstone of how your brand earns confidence and credibility online. The Information Commissioner’s Office (ICO) actions have made it clear that consent practices are under the microscope, while the Data (Use and Access) Act 2025 (DUA Act) introduces key targeted updates to the UK’s data protection landscape which could heavily impact the use of cookies in practice.
If you need hands-on support to set your consent strategy, draft clear banner and preference wording, refresh your cookie and privacy policies, or prepare for the DUA Act rollout, our data protection solicitors can help you build a compliant and practical approach that fits your business.
We’ll consider the following:
- Understanding the legal framework
- When and how consent is required
- How consent mechanisms like a cookie banner support compliance
- Analytics, advertising and social tracking
- Applying the rules beyond websites
- The DUA Act and what changes next
- Serving users in the EU
- Preparing for enforcement and audits
- Designing for trust, not just compliance
- How we can help
Understanding the legal framework
Three laws form the backbone of the UK’s cookie regime:
- The key law is the Privacy and Electronic Communications Regulations (PECR), which governs any technology that stores or accesses information on a user’s device. If your website, app or connected service sets cookies, pixels or software development kits (SDKs), PECR applies.
- Next comes the UK GDPR, which governs what happens if those technologies process any personal data – for example, where the data you obtained via cookies can be linked to an individual’s name or email address, or used for behavioural advertising which could identify individuals.
- Finally, there is the DUA Act 2025, which introduces targeted updates to both PECR and the UK GDPR. It does not replace these laws, but it does raise the maximum penalties for breaches to UK GDPR levels and introduces new, narrowly defined exceptions whereby certain low-risk cookies might be used without consent. Those exemptions are not yet in force, so until the new rules come into effect, you should follow the current consent rules and avoid relaxing your current practices.
Together, these laws determine when you can track users, what information you must give them, and how you must record and manage their cookie consent.
When and how consent is required
While there are some exceptions where cookie consent isn’t needed, those exceptions are extremely narrow. You must obtain consent before any non-essential cookies are set, or information is read from a device. The rule of thumb is clear: unless a cookie is strictly necessary for the service a user has requested – for example, keeping items in a shopping basket or maintaining a login session – you must obtain the user’s opt-in consent before setting it.
Consent must be a real choice i.e. freely given, specific, informed, unambiguous and easy to refuse or accept. Pre-ticked boxes, scrolling or continuing to browse does not count. Nor does hiding the “reject” option behind extra clicks. The standard is now well-established: people must be able to accept or reject non-essential cookies with equal prominence, and they must be able to withdraw their consent later just as easily.
Any consent requests must also be separate from terms and conditions and set out in clear and plain language, as well as naming any third parties relying on consent and explaining what they will do with the information.
You should not nudge or force users to accept cookies. The regulator has repeatedly warned against “dark patterns” that nudge users towards acceptance. In 2023, the ICO and the Competition and Markets Authority (CMA) published a joint paper on harmful designs that set out why fair and balanced consent interfaces are essential for compliance.
For clarity on what valid consent looks like under the UK GDPR, the ICO’s guidance on consent remains the key reference.
How consent mechanisms like a cookie banner support compliance
Consent must be obtained before any non-essential cookie is placed or information is read from the user’s device. “Legitimate interests” cannot justify setting cookies under PECR.
A consent banner (or similar mechanism) is the most common and practical way to collect consent - but what matters is that users give clear, informed, affirmative consent before any non-essential cookies are set. You can use other consent interfaces too e.g. pop-ups and prompts, so long as they meet the PECR requirements.
A cookie banner helps signals transparency and is often used as an effective way to get informed consent before setting non-essential cookies.
The first layer should clearly explain what cookies you want to set and why, giving people the chance to accept or reject all non-essential cookies immediately and with equal prominence. The second layer – such as your preferences centre – should offer more detail about the types of cookies in use and the specific third parties involved. A cookie policy is often provided to give detailed information about the use of cookies to meet strict PECR disclosure rules.
Non-essential cookies, such as analytics and advertising tags, must not fire until the user has actively consented. Withdrawal of consent should be possible at any time, through a visible control that allows users to revisit their preferences.
This balance between clarity and control is now a key focus for the ICO and the CMA. Their position paper on harmful design highlights that fair presentation of options is not only good practice but a compliance requirement.
Analytics, advertising and social tracking
Many businesses hope that analytics cookies might be exempt from the consent requirement, but under current framework they are not, and organisations should obtain consent for the use of analytics cookies.
Until the government brings any new exceptions under the DUA Act into force, you should continue to seek consent before collecting analytics data.
Advertising and social-tracking technologies attract even closer scrutiny. Anything that profiles users, follows them across sites or builds lookalike audiences almost always needs prior consent.
Applying the rules beyond websites
The same principles extend beyond web browsers. Mobile apps, connected TVs, and other smart devices also fall within PECR. Software development kits (SDKs) that store identifiers or read device information are subject to legal rules under PECR, and fingerprinting techniques that identify devices without storing traditional cookies are equally in scope.
In practice, your consent experience should be compliant across all your platforms. Users should see the same clarity and have the same control, whether they’re on a website, a mobile app or another digital interface which PECR applies to.
For deeper practical guidance, our article on data privacy for app developers provides deeper practical guidance.
The DUA Act and what changes next
The DUA Act received Royal Assent in June 2025, and its provisions are being phased in. A key risk impact for businesses is the increase in potential fines under PECR, bringing them into line with the UK GDPR (with fines up to the higher of £17.5 million or 4% of total worldwide turnover). As such, the risk profile for cookies will heavily increase and businesses could also see more active enforcement action.
The DUA Act also aims to introduce targeted exemptions for certain low-risk cookies, but these changes will be subject to their own strict conditions and will only take effect once secondary legislation and updated ICO guidance are published.
For now, the safest approach is to continue following existing legal rules and monitor updates as the DUA framework is implemented. The ICO’s overview of what PECR covers and its UK GDPR hub are essential references, and you can check the status and timings directly via the DUA Act and the commencement plan. But, as always, legal advice is always recommended to plan for changes, ensure you apply the law correctly and that your cookie practices are fully compliant when the new rules come into effect.
Serving users in the EU
If your website or app attracts visitors from the EU or EEA, UK changes under the DUA Act will not affect your obligations to those users.
The EU ePrivacy Directive and EU GDPR continue to apply and require consent for non-essential cookies (including analytics and advertising cookies), and European regulators interpret “cookies” broadly to include pixels, SDKs and other tracking technologies.
For clarity on the European position, see the European Data Protection Board’s Guidelines 2/2023. Many UK businesses therefore maintain a dual regime: one for UK users, reflecting domestic guidance, and one for EU users, aligned with EU law. Put simply, your cookie consent mechanisms may look different for your UK and EU markets, and this could complicate your compliance framework - so legal advice on your options is key for both legal and operational purposes.
Preparing for enforcement and audits
The ICO has signalled that active review and enforcement is increasing as it tackles cookie compliance across the UK’s top 1,000 websites. Businesses may face audits and spot checks, especially where banners are unclear, or “reject” options are buried. Now is the time to review your setup: map every tag, cookie and SDK; check whether they fire before consent; understand whether you can rely on any exceptions, ensure your cookie and privacy policies match how you use cookies in practice; and ensure you comply with data protection law rules where cookies involve personal data.
Record-keeping is equally important. Maintain logs of consents given, document your lawful bases for processing (to the extent that cookies involve personal data) and make sure changes to your technology stack are reviewed for compliance before they go live.
If you want a structured way to begin, explore our Data Protection Health Check, which helps you benchmark and prioritise compliance improvements.
Designing for trust, not just compliance
At its heart, cookie compliance is about respect – giving people genuine control over how their data is used. A well-designed consent experience is not only safer from an enforcement perspective but better for your brand. When users can understand what you’re doing, act on a clear choice and return later to change their mind without friction, they’re more likely to engage and less likely to complain.
Transparency builds confidence, and confidence builds loyalty.
How we can help
Our data protection solicitors work closely with marketing, product and technical development teams to turn legal requirements into clear, user-friendly practice. We can help you with both your cookie law and wider compliance, supporting you to set your consent strategy, draft plain-English wording, refresh your cookie and privacy policies, complete Data Protection Impact Assessments and Records of Processing Activities, and renegotiate vendor terms as the DUA Act takes effect.
