Data (Use and Access) Act 2025 – Cookies

30th July 2025

The second in part in our series of blogs on the Data (Use and Access) Act 2025 focuses on cookies. We examine Chapter 2 of Part 5 Data (Use and Access) Act 2025 (“DUAA”) amends the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“PECR”). In what way does DUAA change the cookies rules?

A) Instigation

Regulations 6 (1) and (2) PECR prohibit a person from storing or gaining access to information stored, in the terminal equipment of a subscriber or user (i.e. deploying cookies or similar tracking technologies) unless the subscriber or user is provided with clear and comprehensive information about the purposes of the storage or access to that information and has given their consent.

Section 112 (2) DUAA provides that the references to storing or gaining access in Regulation 6 PECR include instigating the storing or gaining access. This expands the ICO’s PECR enforcement powers as it means that it can enforce Regulation 6 against website publishers and adtech providers whether they deploy and/ or instigate the deployment of cookies or similar tracking technologies. So, for example, the ICO could pursue enforcement action against a publisher which instigated the deployment of third-party cookies on its website visitors’ devices but failed to provide information about this to those visitors.

B) Analytics Cookies

Section 112 (4) DUAA inserts a new Schedule A1 into PECR by means of Schedule 12 to DUAA. Schedule A1 contains exceptions to Regulation 6 (1) PECR. Paragraph 5 of Schedule A1 creates a new exception to the requirement to obtain consent for cookies and similar tracking technologies where those technologies are deployed for the sole purpose of, “[collecting] information for statistical purposes about how the service is used with a view to making improvements to the service, or [collecting] information for statistical purposes about how a website by means of which the service is provided is used with a view to making improvements to the website”. Where this is the case, subscribers and users must be provided with a means of objecting to the storage or access and with clear and comprehensive information about the purpose of storage or access.

These ‘low risk’ analytics cookies are not strictly necessary cookies – that exception disapplies Regulation 6 (1) PECR and does not require an opt-out.

C) Secretary of State

Section 112 (3) DUAA inserts a new Regulation 6A into PECR after the existing Regulation 6. Regulation 6A empowers the Secretary of State to add an exception or remove or vary an existing exception to Regulation 6 (1) PECR through secondary regulations, after consultation with the ICO and other interested parties it considers appropriate. Watch this space!

Data protection training

Book a place on our BCS accredited training course

Sign up here

Enjoy That? You Might Like These:

events

Blake Morgan Counsel+ roundtable event – Navigating the Employment Rights Bill - Invitation only - 25 November 2025, Blake Morgan London office
23 July
Led by Employment Partner Rajiv Joshi, we are hosting an exclusive roundtable for senior legal counsel and GCs as part of our Counsel+ Forum on the forthcoming Employment Rights Bill. Read More

articles

Data (Use and Access) Act 2025 – What does its enactment mean?
22 July
It has been a month since the Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent. DUAA amends existing UK data protection legislation, including, the UK GDPR, Data Protection... Read More

events

Blake Morgan General Counsel Dinner - Invitation only - 8 October 2025, 1776 restaurant at 1 Lombard Street, London
8 July
Blake Morgan's General Counsel (GC) Dinner is being held on 8 October 2025 at the 1776 restaurant at 1 Lombard Street, bringing together our community of GCs to enjoy an... Read More
Click here for more Insights