GDPR cookie consent in the UK: rules after the DUAA 2025

A current guide to UK cookie consent law — the relationship between PECR and UK GDPR, which cookies still need consent, the new exemption categories from February 2026, and what a compliant cookie banner must do.

UK cookie law has changed more in the past year than in the previous decade. The Data (Use and Access) Act 2025 amended both PECR and UK GDPR, the ICO finalised its updated Storage and Access Technologies guidance on 29 April 2026, and the maximum fine for non-compliance grew from £500,000 to £17.5 million. Anyone running a UK-facing website that has not reviewed its cookie compliance against the new framework is operating against outdated rules.

This guide covers the law as it stands today: how PECR and UK GDPR fit together for cookies, which cookies still need consent, the new exemption categories, what makes a banner compliant, and the new "instigator" concept that extends liability to organisations beyond the website operator itself.

PECR and UK GDPR: how cookie law actually works

A persistent source of confusion is that UK cookie law sits in two separate regimes. UK GDPR is the broader data protection regulation. The Privacy and Electronic Communications Regulations 2003 (PECR) is the specific law governing cookies and similar technologies, electronic marketing, and certain telecoms-related data protections.

The split matters because each regime does different work:

• PECR is the law that requires consent before cookies or similar storage technologies are placed on a user's device. The requirement applies regardless of whether the cookie contains personal data. It is set out in regulation 6 of PECR.
• UK GDPR provides the standard for what counts as valid consent. If PECR requires consent, UK GDPR's definition of consent (Article 4(11)) and its conditions (Article 7) apply.

In practical terms, that means a cookie banner has to do two things at once: meet the PECR requirement that consent has been obtained before non-exempt cookies are set, and meet the UK GDPR standard for what counts as consent — freely given, specific, informed, unambiguous, and given by clear affirmative action.

The Data (Use and Access) Act 2025 amended both regimes simultaneously. It expanded the PECR exemption categories, aligned PECR penalties with UK GDPR, and updated UK GDPR's consent provisions to fit the new framework.

For the consent standard itself, see our lawful basis and consent guide.

Which cookies need consent today

The default position under PECR regulation 6 is that consent is required before cookies or similar technologies are placed on a user's device. The exception covers technologies that are either "strictly necessary for the provision of a service explicitly requested by the user" or, under the new framework, fall within one of the specific exemption categories the DUAA added.

In practice, cookies typically fall into one of four working categories:

Strictly necessary cookies

These are essential for the website to function — session cookies that maintain a logged-in state, basket cookies that remember items being purchased, security cookies that prevent fraud, load-balancing cookies that route traffic. These require no consent and never have under PECR. The "strictly necessary" test is genuinely strict — necessary for the service the user explicitly requested, not just useful for the operator.

Functionality cookies

Cookies that remember user preferences — language, font size, accessibility settings. Some of these now fall within the new exemption categories where the function genuinely improves the service for the user. Others still require consent.

Analytics cookies

Cookies used to measure how users interact with a site. The DUAA introduced a limited exemption for cookies used for statistical purposes, but the exemption is narrower than many operators assume — it does not cover analytics tools that also feed advertising or are shared with third parties for their own purposes.

Marketing and advertising cookies

These continue to require consent. Targeted advertising, retargeting, behavioural profiling, third-party advertising network cookies, and cross-site tracking pixels all sit firmly within the consent requirement and will not benefit from the new exemptions.

The fourth category — marketing and advertising — has been the focus of recent ICO compliance work. The regulator announced active monitoring of the top UK websites for cookie compliance in 2023, and that work has continued.

The new exemption categories under the DUAA

From 5 February 2026, the DUAA broadened the categories of cookies and similar technologies that do not require consent under PECR. The ICO's Storage and Access Technologies guidance, finalised on 29 April 2026, sets out how the new categories are intended to operate.

The expanded exemptions broadly cover:

• Service improvement and audience measurement — cookies used to collect statistical information about how visitors use a site, where the data is used only by the operator for the purpose of improving the service. This exemption is narrower than the equivalent in some EU member states.
• Functionality enhancement — cookies that automatically apply user preferences (such as accessibility settings or display preferences) without requiring the user to set them each visit.
• Security and integrity of an information society service — cookies used to maintain the security of the service, prevent fraud, or ensure technical integrity, beyond what was already covered by the "strictly necessary" test.
• Emergency assistance — storage and access technologies used to provide location information for emergency response or similar protective purposes.
• Software updates — technologies used to install necessary software updates and patches, where required for the security or proper operation of the service.

Several caveats apply across all of these. The exemption applies only where the use of the technology is limited to the exempted purpose — a cookie that does both analytics for the operator and advertising profiling for a third party does not qualify. The operator must also provide clear information about the exempted technologies in use, typically through a privacy notice or a separate cookie information page, even where consent is not required.

The mixed-use trap is worth labouring. A "Google Analytics" deployment that also feeds Google's advertising systems is not within the analytics exemption. A heatmap tool that uses session recording and also shares data with a third party for product improvement is not within the functionality exemption. Where the underlying technology has dual or third-party purposes, the exemption fails and consent is required.

What a compliant cookie banner must do

The ICO's expectations for cookie banners are now well-established and reflected in published guidance and enforcement decisions. A compliant banner has to deliver several things at once.

Equal prominence for accept and reject

Users must find it as easy to reject non-essential cookies as to accept them. A banner with a large "Accept all" button and a small "Manage settings" link that requires further clicks to reject fails this test. Either both options appear at the first layer, or a single click rejects all non-essential cookies.

No pre-ticked boxes

Consent must be a clear affirmative action. Boxes that are pre-ticked when the banner first appears do not produce valid consent — a position confirmed by the CJEU in Planet49 and retained under UK law.

No cookie walls

A site cannot make access conditional on accepting cookies. The ICO's position is that consent obtained under those conditions is not freely given. A limited exception exists for genuine "pay or consent" models, but the ICO has flagged that these arrangements need to be carefully designed and have come under increasing regulatory scrutiny.

Granular controls

Where multiple categories of non-essential cookies are deployed, users should be able to consent to some and reject others. A single "accept all" button without granular options does not satisfy the specificity requirement of UK GDPR consent.

Clear information

The banner must explain — at the first layer — what cookies are being set, by whom, and for what purposes. A vague "we use cookies to improve your experience" with no further information does not meet the informed standard.

No setting of non-exempt cookies before consent

A banner that displays a consent request while simultaneously setting marketing or analytics cookies in the background fails. PECR requires consent before the cookie is set, not after the user has had time to react.

Easy withdrawal

Users must be able to change or withdraw their consent at any time. This typically means a persistent link or icon — sometimes a floating button — that opens the cookie preferences from any page.

The ICO has been clear that these are not best practices. They are the regulator's interpretation of what PECR and UK GDPR require, and banners that fall short are non-compliant. The 2024 letters the ICO sent to the operators of the top UK websites focused on exactly these patterns.

Storage and access technologies beyond cookies

The ICO's Storage and Access Technologies guidance reflects a deliberate broadening of regulatory scope. The rules no longer focus solely on traditional HTTP cookies — they cover any technology that stores information on, or retrieves information from, a user's device.

Within scope:

• HTTP cookies — first-party and third-party.
• Local and session storage — modern browser storage mechanisms used by JavaScript applications.
• Tracking pixels and web beacons — small images or scripts that allow data to be read from a user's device or browser.
• Fingerprinting — techniques that combine browser, device, and network characteristics to identify a user without setting a cookie.
• Cache-based tracking — using browser caching mechanisms to store identifying information.
• SDK-based tracking on mobile apps — software development kits that read or write data on a user's device.

The same consent rules apply across these technologies. An operator that has replaced cookies with fingerprinting has not stepped outside the regulation — they have changed the technology while keeping the underlying processing, and PECR and UK GDPR both follow.

For more on how the underlying personal data definition applies to identifiers and online signals, see our personal data guide.

The "instigator" rule

The DUAA introduced a new concept that materially widens the reach of PECR liability. Under the new framework, responsibility for non-compliant placement of cookies or similar technologies extends not only to the party that directly sets the cookie but to any party that instigates the placement.

In practice, the instigator rule pulls in:

• Tag manager operators. A website using a tag management system to deploy third-party tags is an instigator of those tags, even where the third party is technically the entity setting the cookie.
• Advertising networks and ad exchanges. Parties higher up the ad-tech chain who cause cookies to be set on a user's device through participating publishers.
• Sub-processors and downstream service providers. Where one party causes another to deploy a technology, both can carry liability.

The implication is that website operators cannot escape responsibility by pointing at third-party tags they deployed, and third parties cannot escape responsibility by pointing at the website that integrates them. The ICO's enforcement approach is expected to apply the same standard to both sides.

For the controller and processor framework that sits behind this, see our controller vs processor guide.

The £17.5 million fine ceiling

The change with the most direct commercial consequence is the alignment of PECR penalties with UK GDPR. Before 5 February 2026, the maximum fine for breach of PECR was £500,000. From that date, the maximum is £17.5 million or 4% of worldwide annual turnover, whichever is higher — a 35-fold increase on the previous cap.

This applies to cookie compliance, electronic marketing, and the other obligations PECR contains. The same fining methodology in the ICO's March 2024 Fining Guidance applies, with the same five-step approach to assessing seriousness, turnover, starting point, aggravating and mitigating factors, and proportionality.

The practical effect is that cookie compliance now sits in the same risk bracket as a serious UK GDPR breach. A non-compliant cookie banner exposes the operator to the same maximum penalty as a major data breach or a serious failure of the data protection principles. The ICO's targeting of the top UK websites for compliance review was already a clear signal; the new fine ceiling makes the cost of non-compliance materially higher.

For the wider enforcement picture, see our fines guide.

Common cookie banner failures

The patterns the ICO has flagged most often:

• "Accept all" prominently styled, with no equivalent "reject all" at the same level.
• "Manage settings" or "More options" used as the reject route, requiring extra clicks the accept route doesn't.
• Pre-ticked boxes for specific cookie categories, particularly analytics or marketing.
• Cookies set before the banner is dismissed, including in the brief window between page load and user interaction.
• No persistent way to withdraw consent once given.
• Generic descriptions that do not identify the actual cookies or their purposes.
• Cookie walls that condition access on acceptance.
• Banners that disappear without a clear choice, defaulting to consent if the user closes them.

Operators reviewing their current banner against this list should also confirm the underlying tag management — many compliance issues sit not in the banner itself but in how cookies are actually triggered behind it.

For broader context on how cookie compliance fits within UK data protection law, see our hub guide to UK GDPR and our UK GDPR vs EU GDPR guide — which covers the divergence between UK cookie rules and the EU's ePrivacy framework.

Frequently asked questions

Do I need consent for analytics cookies?

Sometimes. The DUAA introduced a limited exemption for cookies used for statistical purposes by the operator alone. Where the analytics tool also feeds advertising, is shared with third parties for their own purposes, or processes data beyond simple aggregate statistics, the exemption does not apply and consent is required.

What is a cookie wall?

A design pattern that conditions access to a website on acceptance of non-essential cookies. The ICO's position is that consent obtained through a cookie wall is not freely given and is therefore invalid under UK GDPR. Limited "pay or consent" alternatives may be acceptable in specific circumstances but face increasing scrutiny.

Are "reject all" buttons required?

Yes. Users must find it as easy to reject non-essential cookies as to accept them. In practice this means a "reject all" option needs to appear at the first layer of the banner, with equal prominence to "accept all". Hiding the reject route behind "Manage settings" or "More options" does not satisfy this standard.

What changed under the DUAA?

Three main changes from 5 February 2026: new exemption categories for low-risk cookies and storage technologies; the maximum PECR fine raised to £17.5 million or 4% of turnover; and a new "instigator" rule extending liability beyond the direct cookie-setter to any party causing the placement.

Does PECR or UK GDPR govern cookies?

Both, in different ways. PECR contains the specific requirement to obtain consent before non-exempt cookies or similar technologies are placed on a user's device. UK GDPR provides the standard for what counts as valid consent. The two work together, and compliance requires meeting both.

What's the maximum fine for cookie violations?

£17.5 million or 4% of worldwide annual turnover, whichever is higher. This applies from 5 February 2026 under the DUAA's amendments to PECR. The previous cap of £500,000 no longer applies.