Data (Use and Access) Act 2025 – Cookies


30th July 2025

The second in part in our series of blogs on the Data (Use and Access) Act 2025 focuses on cookies. We examine Chapter 2 of Part 5 Data (Use and Access) Act 2025 (“DUAA”) amends the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“PECR”). In what way does DUAA change the cookies rules?

A) Instigation

Regulations 6 (1) and (2) PECR prohibit a person from storing or gaining access to information stored, in the terminal equipment of a subscriber or user (i.e. deploying cookies or similar tracking technologies) unless the subscriber or user is provided with clear and comprehensive information about the purposes of the storage or access to that information and has given their consent.

Section 112 (2) DUAA provides that the references to storing or gaining access in Regulation 6 PECR include instigating the storing or gaining access. This expands the ICO’s PECR enforcement powers as it means that it can enforce Regulation 6 against website publishers and adtech providers whether they deploy and/ or instigate the deployment of cookies or similar tracking technologies. So, for example, the ICO could pursue enforcement action against a publisher which instigated the deployment of third-party cookies on its website visitors’ devices but failed to provide information about this to those visitors.

B) Analytics Cookies

Section 112 (4) DUAA inserts a new Schedule A1 into PECR by means of Schedule 12 to DUAA. Schedule A1 contains exceptions to Regulation 6 (1) PECR. Paragraph 5 of Schedule A1 creates a new exception to the requirement to obtain consent for cookies and similar tracking technologies where those technologies are deployed for the sole purpose of, “[collecting] information for statistical purposes about how the service is used with a view to making improvements to the service, or [collecting] information for statistical purposes about how a website by means of which the service is provided is used with a view to making improvements to the website”. Where this is the case, subscribers and users must be provided with a means of objecting to the storage or access and with clear and comprehensive information about the purpose of storage or access.

These ‘low risk’ analytics cookies are not strictly necessary cookies – that exception disapplies Regulation 6 (1) PECR and does not require an opt-out.

C) Secretary of State

Section 112 (3) DUAA inserts a new Regulation 6A into PECR after the existing Regulation 6. Regulation 6A empowers the Secretary of State to add an exception or remove or vary an existing exception to Regulation 6 (1) PECR through secondary regulations, after consultation with the ICO and other interested parties it considers appropriate. Watch this space!

Data protection training

Book a place on our BCS accredited training course

Sign up here

Enjoy That? You Might Like These:


events

20 October
Led by Employment Partner Rajiv Joshi, we are hosting an exclusive roundtable for senior legal counsel and GCs as part of our Counsel+ Forum on the forthcoming Employment Rights Bill. Read More

articles

15 October
The United Kingdom and India reached a landmark Free Trade Agreement (FTA) on 6 May 2025, creating major opportunities for increased trade and investments between the countries. Hailed by the... Read More

events

13 October
The new UK failure to prevent fraud corporate offence came into force on 1 September 2025. The new offence has created significant new compliance obligations and legal risks for organisations,... Read More