Data (Use and Access) Act 2025 – Cookies


30th July 2025

The second in part in our series of blogs on the Data (Use and Access) Act 2025 focuses on cookies. We examine Chapter 2 of Part 5 Data (Use and Access) Act 2025 (“DUAA”) amends the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“PECR”). In what way does DUAA change the cookies rules?

A) Instigation

Regulations 6 (1) and (2) PECR prohibit a person from storing or gaining access to information stored, in the terminal equipment of a subscriber or user (i.e. deploying cookies or similar tracking technologies) unless the subscriber or user is provided with clear and comprehensive information about the purposes of the storage or access to that information and has given their consent.

Section 112 (2) DUAA provides that the references to storing or gaining access in Regulation 6 PECR include instigating the storing or gaining access. This expands the ICO’s PECR enforcement powers as it means that it can enforce Regulation 6 against website publishers and adtech providers whether they deploy and/ or instigate the deployment of cookies or similar tracking technologies. So, for example, the ICO could pursue enforcement action against a publisher which instigated the deployment of third-party cookies on its website visitors’ devices but failed to provide information about this to those visitors.

B) Analytics Cookies

Section 112 (4) DUAA inserts a new Schedule A1 into PECR by means of Schedule 12 to DUAA. Schedule A1 contains exceptions to Regulation 6 (1) PECR. Paragraph 5 of Schedule A1 creates a new exception to the requirement to obtain consent for cookies and similar tracking technologies where those technologies are deployed for the sole purpose of, “[collecting] information for statistical purposes about how the service is used with a view to making improvements to the service, or [collecting] information for statistical purposes about how a website by means of which the service is provided is used with a view to making improvements to the website”. Where this is the case, subscribers and users must be provided with a means of objecting to the storage or access and with clear and comprehensive information about the purpose of storage or access.

These ‘low risk’ analytics cookies are not strictly necessary cookies – that exception disapplies Regulation 6 (1) PECR and does not require an opt-out.

C) Secretary of State

Section 112 (3) DUAA inserts a new Regulation 6A into PECR after the existing Regulation 6. Regulation 6A empowers the Secretary of State to add an exception or remove or vary an existing exception to Regulation 6 (1) PECR through secondary regulations, after consultation with the ICO and other interested parties it considers appropriate. Watch this space!

Data protection training

Book a place on our BCS accredited training course

Sign up here

Enjoy That? You Might Like These:


newsletters

6 October
Welcome to Blake Morgan's Corporate Commentary, which brings together a selection of our most popular insights on current business issues. This month we have also included a roundup of our... Read More

articles

23 September
The next instalment in our series on the Data (Use and Access) Act 2025 (“DUAA”) expands on our previous blog (which can be found here), regarding how Chapter 2, Part... Read More

articles

5 September
The Economic Crime and Corporate Transparency Act 2023 (ECCTA) is now being brought into force and is something that is going to impact every company and LLP registered in the... Read More