Cookies and the Data (Use and Access) Act 2025: what’s changing and why it matters

The Data (Use and Access) Act 2025 (DUAA 2025) (1) has officially landed, bringing with it a series of targeted amendments to the UK’s data protection framework. While the UK General Data Protection Regulation (UK GDPR) (2), Data Protection Act 2018 (DPA 2018) (3), and Privacy and Electronic Communications Regulations 2003 (PECR) (4)  remain the bedrock of UK data protection legislation, the DUAA 2025 introduces some meaningful updates, particularly around the use of cookies and similar tracking technologies.

What’s the big deal about cookies?

Cookies are small data files stored on users’ devices, often used to remember preferences, track behaviour, or improve website functionality. Under PECR, setting most cookies, especially those used for analytics or advertising, has traditionally required prior consent from users. Hence the pop ups when you visit websites to choose your preferences around additional cookies.

But that’s about to shift.

The DUAA’s cookie reform: a softer approach to low-risk tracking

The DUAA 2025 introduces a more pragmatic stance on cookies (Section 112 and Schedule A1). Once the relevant provisions are brought into force (via secondary legislation), organisations will be able to set certain low-risk cookies without obtaining user consent (Schedule A1(4)(2)). These include:

• Analytics cookies used to gather statistical insights (Schedule A1(5));

• Functionality enhancing cookies that improve user experience (Schedule A1(6));

• Necessary cookies that allow the provision of the service (Schedule A1(4)(2)).

This change is designed to reduce friction for both users and organisations, while still maintaining a high standard of privacy and data protection.

The Information Commissioner’s Office (ICO) has already confirmed that the DUAA will allow organisations to set some cookies without consent, provided they are used for purposes like improving website functionality or collecting anonymised usage data (5), but we await further details and updated guidance.

Not so fast: timing and implementation

It’s important to note that most of the DUAA’s data protection provisions are not yet in effect. They require secondary legislation to commence, and accompanying guidance from the ICO is still in development. So while the law has passed, the practical application is still a few steps away.

Organisations should:

• Monitor updates from the ICO and Department for Science, Innovation and Technology (DSIT) (6);

• Review their current cookie practices;

• Prepare to update cookie banners and privacy notices once the new rules are in force.

Mind the jurisdiction gap: UK vs EU

Here’s the catch: EU law hasn’t changed. The ePrivacy Directive (7) still requires consent for most cookies, including analytics. So if your organisation:

• Operates in the EU, or

• Makes its website or app accessible to EU users

...you’ll need to consider whether to maintain a dual compliance strategy. That might mean continuing to request consent for all cookies across the board, or implementing geo-targeted cookie banners, if technically feasible.

Strategic takeaways

The changes signal a shift toward proportionality in consent requirements, particularly around low-risk tracking technologies such as analytics and functionality-enhancing cookies.

That said, we highlight that simplification is not the same as deregulation. Transparency, accountability, and respect for individual choice remain cornerstones of good information governance and data protection. Even in cases where consent may no longer be required, clearly communicating how data is used and offering meaningful controls is essential for maintaining user trust.

International-facing organisations should remain vigilant about jurisdictional differences. While the UK is moving toward a more flexible approach, EU law retains stricter consent requirements. It’s vital to assess whether a harmonised approach is feasible, or if segmentation by geography is necessary to minimise risk.

Ultimately, these changes reflect a maturing regulatory environment, one that recognises the importance of user experience and privacy. Navigating this evolving landscape will require not just compliance, but thoughtful implementation grounded in principles of fairness, transparency, and purpose limitation.