Changes in 2025 to UK GDPR / UK data protection consent framework via the Data (Use and Access) Act 2025

gdpr-uk duua

The changes in 2025 to UK GDPR / UK data protection consent-framework (via the Data (Use and Access) Act 2025, case-law, and related developments), also affect user consent. Here is a summary of the changes and what you should do.

1. What is changing under DUAA / related reforms with respect to cookies & storage/access technologies

One of the explicit updates in the DUAA is to the rules around “storage and access technologies (such as cookies).”

  • The Act allows usage of some storage and access technologies without explicit consent in certain, low-risk situations.

  • Practically, many commentators interpret this as creating some carve-outs (or a loosening) for functionalities like basic analytics, service improvement, or non-intrusive cookies, provided there is transparency and users can opt out

  • However, these changes are not wholesale — they are more modest than some of the earlier policy proposals, and the reforms aim to maintain alignment with the broader GDPR regime. 

  • Note: The DUAA does not entirely replace the Privacy and Electronic Communications Regulations (PECR) in the UK, which currently govern cookies and similar technologies. The DUAA works alongside (and amends) these regimes.

2. What this means for “consent” for cookies

Because cookie (and similar) consent is regulated under PECR (and under the ePrivacy / electronic communications rules), not directly under UK GDPR, the interplay is a bit subtle. But here are the key implications:

AspectBefore DUAA / status quoAfter DUAA / anticipated changeWhat to watch out for / constraints
Consent requirement for non-essential cookiesUnder PECR, storing or accessing information on a user’s device (e.g. via cookies) usually requires user consent, unless strictly necessary for the provision of a service.The DUAA introduces a possibility that some storage/access technologies (in low-risk contexts) may not require explicit consent.The carve-out is limited: for it to apply, the use must be genuinely low risk, transparent, and with an opt-out mechanism. It likely will not apply to advertising/tracking cookies.
Transparency / noticeUsers must receive “clear and comprehensive information” about purpose of cookies; cookie banners / preference tools are typically used.Transparency remains important; users should still be informed of what storage/access is happening and have options.The reforms don’t eliminate the need for a cookie banner or choice interface in many contexts.
Opt-out / rejection optionUsers already have to be able to refuse non-essential cookies; “reject all” must be as easy as “accept.”Under the new regime, for cookies falling under the “low-risk” exemption, the obligation might shift from affirmative consent to a notification + opt-out model.That shift doesn’t mean “do nothing” — design and documentation will matter.
Risk of misclassificationUnder current rules, if you misclassify a cookie as “non-essential” or “analytics” but it is in fact more invasive, you could be in breach.With new flexibility, the risk is that organisations might push borderline cookies into the “low-risk” bucket and thereby avoid consent, but that could invite regulatory scrutiny.You’ll need good justification and a defensible risk assessment for any cookie that is treated under an exemption.
Enforcement and finesViolations of PECR / cookie rules may lead to regulatory fines (ICO) under the existing regime.The DUAA aligns fines under PECR with those under the UK GDPR (i.e. higher maximums) for electronic communications breaches. Ogletree+2GOV.UK+2That increase in fines raises the stakes for cookie compliance.

So in practice, for many cases, the “consent + banner” model will still be needed — especially for more intrusive, cross-site, or advertising/tracking cookies. The DUAA reforms give a bit more breathing room for basic analytics or similarly low-risk uses, but with tight requirements for transparency and opt-out.

3. What remains (and what still doesn’t change)

  • The “strictly necessary” cookie exception will still apply: cookies essential to providing a service requested by the user remain exempt from consent requirements.

  • For more invasive cookies or tracking, explicit, informed consent will still be required (subject to how the new rules are interpreted).

  • The DUAA does not completely remove consent as a cornerstone of privacy protection — it just adds nuance, and potential carve-outs.

  • The reforms are being phased in, so not all provisions will come into force immediately. GOV.UK+2GOV.UK+2

  • The Information Commissioner’s Office (ICO) will issue guidance, which will be critical for interpreting the changes in real-world cookie settings.

4. What you should do (practical steps)

  1. Review your cookie inventory / classification

    • Identify which cookies you currently use (essential, analytics, advertising, etc.), using the Cookie Scanner or the browser console.

    • Assess which ones might genuinely qualify as “low-risk” under the new regime (if that exemption is to apply).
       

  2. Document your rationale and assessments

    • Keep internal records justifying why a cookie is exempted or requires consent. The Cookie Scanner report offers valuable info on this.

    • Maintain transparency in your decision-making (so that if challenged, you can show a defensible basis).
       

  3. Update your Cookie Control banner

    • Ensure that users are clearly told the purposes for any cookie category, and how to opt out.

    • If you shift some cookies to a “notification + opt-out” model (where permitted), reflect that in your banner. You can see here how you can have an optional cookie category ON by default using Cookie Control and also provide the toggle for the visitors to be able to opt-out if they wish.
       

  4. Monitor ICO guidance and timing of commencements

    • Because the DUAA is being phased in, check which provisions are live and when.

    • The ICO’s updated guidance (late 2025 / early 2026) will be critical to align your implementation. 
       

  5. Err on the cautious side for more invasive cookies

    • Until there's more clarity, keep requiring explicit consent for tracking, profiling, or cross-site cookies.

    • Don’t rely on exemptions for borderline use cases without clear justification.

We hope the information above is useful.

Previous

Categories: Filter blogs by Cookie Control

Related posts

View all posts
14 May 2024

All About the CIVIC Cookie Scanner

The Cookie Scanner helps you to remain compliant with GDPR and the UK ICO directives by scheduling full site scans and receiving the scan report with proposed cookie categorization.
31 March 2025

Microsoft Universal Event Tracking (UET) is now supported by CIVIC's Cookie Control

If you are an ad publisher on Microsoft's Advertising Platform (MAP) in the European Economic Area (EEA), Switzerland, or the UK, you are required to implement Microsoft's Universal Event Tracking (UET) Consent Mode to track, signal, and honor user consent status.
View all posts