Data (Use and Access) Act 2025 (DUAA) cookie consent changes will reshape how marketers utilise analytics and ads, with new exceptions and stricter penalties now in effect.
If you’re responsible for marketing for an SME, you’ll feel the DUAA in two places: how you run analytics and how you handle consent for ads. The Act became law on 19 June 2025 and is being switched on in stages (the first provisions started in August). The government and the ICO are publishing roll-out notes and guidance as they go. In short, there’s a little more flexibility for low-risk cookies, and a lot more incentive to get compliance right.
What's actually changed?
The DUAA amends the UK’s e-privacy rules (PECR) by adding narrow, named exceptions to the consent rule for cookies and similar tech. Two matters most for marketers:
- Statistical (analytics) exception. If the sole purpose of the storage/access is to collect aggregate statistics to improve your website or service, you can run analytics without consent. That is, provided you explain it clearly and offer a simple, free way to object. This is about understanding journeys and fixing user experience (UX), not tracking people. The ICO is explicit that anything ad-related sits outside this exception. For marketers, this matters because better analytics can highlight where customers drop off, what frustrates them, and how journeys can be smoothed. Done well, that translates into higher conversion rates, better retention, and improved customer satisfaction – so the compliance lift also unlocks real commercial value.
- Appearance exception. You can also set or read tech to adapt how your site looks or behaves to a user’s preference – for example, language or theme. Again, you need clear information and an easy opt-out; it must not involve choosing which content or ads to show based on behaviour or interests. These exceptions live in a new Schedule A1 to PECR, inserted by DUAA. Think of them as carve-outs you must fit precisely. If you drift beyond the stated purpose, you’re back in consent territory.
What hasn’t changed (and often trips teams up)
Advertising still requires consent. That covers targeting, frequency capping, attribution and ad measurement. If any of your tags set or read information for these purposes, you need valid consent under PECR and UK GDPR – no pre-ticked boxes, and withdrawal must be as easy as giving consent.
You still owe users clarity. Even when you rely on the analytics or appearance exceptions, the ICO expects “clear and comprehensive information” and a one-step way to object (for example, a visible toggle). Treat it as “tell people and give them an easy off switch,” not silent tracking.
Third-party analytics can be fine – with guardrails. The ICO says you may use a third-party provider under the statistical exception, so long as the data is used only to help you improve your site/service and isn’t repurposed or pooled. Switch off ad features, aggregate quickly, and don’t retain individual-level data longer than needed to aggregate.
For a comprehensive overview of GDPR and cookie requirements, refer to our detailed guide.
What if you have EU customers or visitors?
The DUAA only changes UK law. If your site targets customers in the EU or tracks visitors there, you’re still bound by the EU’s e-privacy rules and GDPR. Those don’t include the new UK exceptions – meaning analytics cookies generally still need consent unless they are strictly necessary for the service requested. In practice, this may mean running two regimes in parallel: UK-only sites can take advantage of the statistical/appearance carve-outs, but any site with EU traffic should keep the consent prompt in place for analytics. Failing to draw that line can expose you to enforcement from EU regulators even if you’re compliant at home.
Why this matters more now
The DUAA also raises the ceiling on PECR penalties to UK GDPR levels – up to £17.5m or 4% of worldwide turnover for the most serious infringements. Historically, cookie breaches topped out at £500k. That old cap is gone. For senior managers, cookies have moved from “website housekeeping” to a genuine regulatory risk line item.
So, where does this leave your cookie banner?
For many SMEs, the practical outcome is a cleaner split:
- Maintain a lightweight analytics setup under the statistical exception (aggregate insights only, explained clearly, with an opt-out option).
- Continue to use consent for all ad-related activities (including measurement).
- If you embed social media or ad-funded video, configure those widgets so they don’t set non-exempt tech on page load. Let the user choose to activate them. This is precisely the kind of line the ICO’s draft guidance clarifies. Expect more details as further DUAA provisions commence.
Key dates and next steps
The government’s summary states that cookie changes will be implemented over 2–12 months after Royal Assent. The ICO has begun updating its PECR/cookie pages to reflect the new exceptions and will continue to iterate as more sections go live. It makes sense to build your settings now and flip the switch as commencement regulations land.
Bottom line for marketers: you can run truly low-risk analytics without consent if you meet the strict tests and provide people with an easy opt-out option. However, ads – and anything adjacent to them – still rely on consent. With higher PECR fines in play, now’s the moment to simplify your stack, tighten your wording, and be honest with users about what runs and why.
If you’d like a quick review of your tags, Content Marketing Platform and cookie notice, our experienced data protection solicitors can help you make the most of the new changes without stepping outside the lines.