I once bought a cookie for £5 from a fancy bakery in Central London - it was elegant, gooey, warm and definitely overpriced. Was it worth it? I’m not sure. But under the UK’s new Data Use and Access Act (DUAA), a cookie on your website could cost you up to £17.5 million or 4% of global annual turnover (whichever is higher). Now that’s an expensive cookie.
Now, of course nobody’s getting fined £17 million for a single cookie but mishandle enough of them and you could really be in trouble.
The DUAA
The Data Use & Access Act 2025 (DUAA) came into law on 19th June 2025 and is rolling out between June 2025 and June 2026.
Its purpose? To give businesses more flexibility whilst preserving rights for users. It’s not intended to replace UK GDPR, the Data Protection Act 2018 or PECR (Privacy and Electronic Communications Regulations) but to supplement what already exists.
In plain English: it’s an update to the digital privacy rules with an aim to make compliance more pragmatic, especially around cookies and analytics.
The 5 Cookie Exemptions
Under PECR, cookies usually require consent unless they are considered strictly necessary. The DUAA essentially loosens these requirements under 5 exemptions.
1. Communication
- Storage or access used only when it’s strictly necessary for transmitting communications over a network.
- Examples include session cookies for load balancing (to help route data to the correct server) or device fingerprinting techniques used solely for network management purposes.
2. Strictly Necessary
- Storage or access used that is essential for a website or app to function and technically required from the user’s perspective, not the service provider’s (i.e. ads don’t qualify).
- Examples include user authentication, fraud detection/prevention, maintaining shopping baskets or remembering cookie preferences.
3. Statistical / Analytics
- Storage or access used that serve the purpose of collecting aggregate, non-identifiable statistical information about a website/app used solely to make improvements to the service or website.
- These technologies must not identify or track individual users across services and may only operate on aggregated data.
4. Appearance
- Storage or access used that serve the purpose of adjusting appearances or functions that match a user’s specific preferences.
- Examples include remembering the user’s chosen language, theme or layout preferences.
5. Emergency Assistance
- Storage or access used solely to identify the location of a user’s device to provide emergency assistance.
- For example, if a user requests emergency services, sites may use location-based storage/access without prior consent.
Even when using these exemptions, sites must still provide clear information about how they use such storage or access technologies and offer a free and simple way for users to opt-out.
What happens if you breach the requirements?
The Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection and information rights, now has expanded powers under the DUAA.
The ICO can dig much deeper when investigating potential data breaches. It can ask people to give formal interviews, request technical evidence or reports and, where necessary, issue fines of up to £17.5 million or 4% of global turnover, whichever is higher.
It’s worth noting that these figures represent the maximum penalties available. In practice, the ICO typically issues fines in a proportionate way taking into account the severity of the breach, its impact on individuals and the organisation’s circumstances. These penalties apply to any serious breach under DUAA, not necessarily just cookie mismanagement.
At the time of writing, the ICO has not yet published the statutory guidance explaining how it will use its new enforcement powers since it is still being rolled out in phases. The guidance is subject to public consultation meaning businesses will get visibility into how enforcement will work. But for now, it’s important to stay up to date.
In short, the ICO can issue up to £17.5 million in fines under the DUAA once all information has been released but nothing has yet been finalised.
So, What Does This All Mean?
Whether you’re a business owner, marketer or part of a digital or data team, these are changes you need to be aware of. This doesn’t magically mean you can get rid of cookie banners, but it does shift the balance between the user experience and compliance.
The DUAA gives more breathing room for:
- Better analytics without the friction of consent requirements
- More personalised UX aligned to user preferences
- Smarter data strategies with more balance between compliance and commercial insight
It’s important to remember that whilst you can drop certain cookies without explicit user consent these exemptions are tightly scoped. If the use of storage is beyond the stated purpose, then you will still be required to gain user consent.
To remain compliant (and trustworthy):
- Maintain clear documentation
- Be transparent about data use
- Give users a free and simple way to opt out.
What Next Steps Should You Take?
While we wait for the full rollout there are some actions that can be taken. This is a great opportunity to rethink how your brand handles data and builds trust.
- Review your current cookie set up
- Identify which cookies are essential, which are exempt, and which need consent.
- Update your cookie notices
- Explain the purposes of all cookies making it clear, up-to-date and user-friendly.
- Set up easy opt-out functionality
- Users must maintain the right to opt-out whenever they want.
- Keep an eye on ICO guidance and updates
- As the DUAA is rolling out until June 2026 it’s important to keep on top of their guidance.
- Educate your teams
- Align your teams to any changes so privacy becomes a built-in part of your experience, not an afterthought.
So yes, that £5 cookie I bought might have been overpriced, but I’d much rather pay that than £17.5 million. The DUAA is about more than avoiding a big fine though, it’s about earning trust through transparency and giving businesses a chance to tidy up, simplify and show users that their data and privacy is respected.
