If your website uses cookies or similar tracking technologies, you must comply with the Privacy and Electronic Communications Regulations 2003 (PECR). These rules require you to tell visitors about cookies and get their consent before setting non-essential ones.

The Information Commissioner's Office (ICO) enforces PECR. Following the Data (Use and Access) Act 2025, maximum penalties have increased significantly - failing to comply can now result in fines of up to 17.5 million pounds or 4% of global turnover.

What counts as a cookie

PECR applies to:

Cookies (small text files stored on devices)
Local storage and session storage
Tracking pixels and web beacons
Device fingerprinting
Any technology that stores or accesses information on a user's device

If you're reading or writing data on someone's device, PECR applies.

Which cookies need consent

The key distinction is between cookies that are strictly necessary (exempt from consent) and all others (consent required).

Strictly necessary cookies (no consent required)

You can set these cookies without asking permission. They must be essential for the service the user has requested:

Session cookies - maintaining login state while browsing
Shopping basket cookies - remembering items added to cart
Load balancing cookies - distributing traffic across servers
Security cookies - fraud prevention, authentication
Accessibility cookies - remembering user accessibility preferences
First-party cookies for form submission - preventing data loss if a form fails

Important: You must still tell users about strictly necessary cookies in your cookie policy - you just don't need consent to set them.

Cookies that always require consent

These cookies cannot be set until the user actively agrees:

Analytics cookies - Google Analytics, Hotjar, Matomo
Advertising cookies - ad networks, retargeting
Social media cookies - Facebook pixel, Twitter tracking
Third-party tracking - any cookies set by external services
Personalisation cookies - recommendations based on browsing history
A/B testing cookies - when used to track user behaviour over time

The test is simple: if the cookie is for your benefit (tracking, analytics, advertising) rather than delivering the service the user requested, you need consent.

DUAA 2025 changes to cookie consent

The Data (Use and Access) Act 2025 introduces important changes to cookie consent rules. Some are already in force; others are being implemented during 2025-2026.

DUAA 2025 cookie consent changes

Changes to cookie consent rules under the Data (Use and Access) Act 2025, including new exemptions for analytics and functionality cookies that come into force during 2025-2026.

The Data (Use and Access) Act 2025 amends the Privacy and Electronic Communications Regulations 2003 (PECR) to introduce new cookie exemptions and align penalties with UK GDPR levels.

Key changes to cookie consent:

New exemptions for certain cookie categories without requiring prior consent
Conditions apply: clear information and easy opt-out must still be provided
Tracking, profiling, and advertising cookies still require explicit consent

Current PECR cookie rule: Prior consent required before storing or accessing information on user devices (Regulation 6)
Existing exemptions (unchanged): Strictly necessary cookies (e.g., shopping basket, session authentication, load balancing)
DUAA 2025 effective date: Phased implementation June 2025 to June 2026
PECR penalty increase: Maximum now aligned with UK GDPR: up to 17.5 million GBP or 4% of global turnover (from 5 February 2026)

New cookie exemptions under DUAA 2025

The following cookie categories may be permitted without prior consent, subject to conditions:

1. Statistical purposes (analytics): Cookies to measure website performance and improve services - requires clear info and easy opt-out
2. Appearance adaptation: Cookies adapting website appearance to user preferences (e.g., dark mode, font size)
3. Functionality adaptation: Cookies adapting website functionality to user preferences (e.g., language, region)
4. Emergency assistance: Cookies identifying user location for emergency services - limited to genuine emergencies
Conditions for new exemptions: Must provide clear information about the cookies AND an easy way to opt out

Cookies that still require consent

These cookie types are NOT covered by the new exemptions:

Tracking and profiling cookies - monitoring user behaviour across sites
Online advertising cookies - serving targeted advertisements
Third-party advertising - cookies set by advertising networks
Cross-site tracking - tracking users across multiple websites

Analytics exemption status: ICO consultation ongoing - detailed guidance expected by late 2025
Key consultation issue: Whether first-party analytics without individual profiling can use the exemption
ICO position: Waiting for ICO detailed guidance before implementing analytics exemption

What businesses should do now

Audit your cookies - identify which categories you use
Continue requiring consent - until ICO guidance confirms new exemptions apply to your cookies
Prepare opt-out mechanisms - even exempt cookies must offer easy opt-out
Review cookie information - ensure clear, accessible explanations of cookie purposes
Monitor ICO updates - guidance expected throughout 2025-2026

Implementation timeline: June 2025 (penalty increase), phased to June 2026 (full DUAA PECR changes)
Regulator: Information Commissioner's Office (ICO)
Risk of non-compliance: CRITICAL - maximum penalty now 17.5 million GBP or 4% of global turnover

What to do now

Until the ICO publishes detailed guidance on the new exemptions:

Continue requiring consent for analytics - the exact scope of the exemption is still being defined
Prepare opt-out mechanisms - even exempt cookies will require an easy way to refuse
Audit your cookies - understand exactly what each cookie does
Monitor ICO updates - implementation guidance expected throughout 2025-2026

Critical: Tracking, profiling, and advertising cookies will never be exempt. You will always need consent for these.

Getting valid consent

Cookie consent must meet the UK GDPR standard. It must be:

Freely given

Users must have a genuine choice. Do not use 'cookie walls' that block access unless all cookies are accepted.

Specific

Be clear about what types of cookies you want to set and why. Blanket consent for 'all cookies' is not valid.

Informed

Tell users what cookies do, who sets them, and how long they last before asking for consent.

Unambiguous

Require a clear affirmative action (clicking 'Accept'). Continuing to browse or scrolling is not valid consent.

What doesn't count as consent

The ICO has been clear that certain practices do not constitute valid consent:

Pre-ticked boxes - users must actively opt in
Implied consent from browsing - 'By continuing to use this site you consent' is not valid
Scrolling or clicking elsewhere - only an explicit 'Accept' counts
Bundled consent - users must be able to accept some cookies but not others
Cookie walls - making website access conditional on accepting all cookies
Hidden reject options - 'Reject' must be as easy to find as 'Accept'
Dark patterns - design that manipulates users into accepting

Cookie banner requirements

Your cookie banner must be prominent, clear, and give users genuine control.

1

Display banner before setting non-essential cookies

The banner must appear before any analytics, advertising, or tracking cookies are placed. Do not set these cookies and then ask permission.
2

Explain clearly what cookies you use

Tell users you want to set cookies, what types, and why. Avoid jargon - use plain English like 'We use cookies to track how you use our site'.
3

Offer equally prominent Accept and Reject options

Both buttons should be the same size and visibility. Hiding 'Reject' behind 'Manage settings' while making 'Accept all' prominent is a dark pattern.
4

Allow granular choices

Let users accept some cookie categories but not others. For example, accept analytics but reject advertising.
5

Link to your full cookie policy

Provide a link where users can read detailed information about each cookie, its purpose, and duration.
6

Make it easy to withdraw consent later

Provide a way for users to change their cookie preferences at any time, not just when the banner first appears.

Writing your cookie policy

Your cookie policy must include: what cookies you use (by name), their purpose in plain English, whether first or third party, duration, and how to manage or withdraw consent. Review it whenever you add new services.

Penalties for non-compliance

The ICO takes cookie compliance seriously. Enforcement has increased, and penalties are now much higher.

PECR maximum penalties 2025

Increased maximum fines for PECR breaches following Data (Use and Access) Act 2025.

From 19 June 2025, maximum penalties for PECR breaches have been aligned with UK GDPR levels under the Data (Use and Access) Act 2025.

Previous maximum fine: £500,000
New maximum fine (from June 2025): £17.5 million or 4% of global annual turnover, whichever is higher
Effective date: 19 June 2025
Legal basis: Data (Use and Access) Act 2025
Applies to: Unlawful email/SMS marketing, telemarketing, cookies/tracking breaches
Regulator: Information Commissioner's Office (ICO)

Common PECR breaches: Unsolicited marketing, ignoring opt-outs, manipulative cookie consent
ICO enforcement (2022-2025): 49 PECR fines totalling £4.63 million
Average fine (pre-2025): £94,490
Expected focus areas: Mass unsolicited communications, TPS/CTPS violations, deceptive consent flows

ICO PECR enforcement guidance

Common enforcement triggers

The ICO investigates when: cookies are set before consent, no genuine reject option, 'Reject' is hidden, cookie walls block content, or third-party tracking lacks disclosure. The ICO often begins with warnings, but businesses that ignore them face significant fines.

Compliance checklist

Use this checklist to ensure your website complies with PECR cookie requirements:

1

Audit all cookies on your website

Use browser developer tools or a cookie scanning service to identify every cookie set by your site, including third-party cookies.
2

Categorise each cookie

Determine whether each cookie is strictly necessary, analytics, advertising, or social media. Document the purpose and duration.
3

Implement a consent mechanism before non-essential cookies

Ensure your consent management platform blocks analytics and advertising cookies until users actively consent.
4

Provide equal Accept and Reject options

Review your banner design. Both options should be equally prominent with no dark patterns.
5

Enable granular consent

Allow users to accept some categories while rejecting others, rather than forcing an all-or-nothing choice.
6

Create a detailed cookie policy

List all cookies with their names, purposes, who sets them, and how long they last.
7

Provide ongoing consent management

Include a link in your footer or settings where users can change their cookie preferences at any time.
8

Test your implementation

Check that non-essential cookies are truly blocked until consent is given. Use browser developer tools to verify.
9

Review when adding new services

Each time you add analytics, advertising, or embedded content, update your cookie policy and consent mechanism.

Next steps

After ensuring cookie compliance: register with the ICO if needed, review your privacy notice to cover cookie data, consider PECR rules if you send electronic marketing, and monitor ICO guidance for DUAA 2025 updates.

Cookie consent: comply with PECR requirements

Email marketing: PECR and UK GDPR requirements

Electronic marketing rules (PECR)

Data protection annual compliance checklist

Data Use and Access Act 2025: what changed for businesses

Fire safety duties for Northern Ireland businesses

What counts as a cookie

Which cookies need consent

Strictly necessary cookies (no consent required)

Cookies that always require consent

DUAA 2025 changes to cookie consent

What to do now

Getting valid consent

What doesn't count as consent

Cookie banner requirements

Display banner before setting non-essential cookies

Explain clearly what cookies you use

Offer equally prominent Accept and Reject options

Allow granular choices

Link to your full cookie policy

Make it easy to withdraw consent later

Writing your cookie policy

Penalties for non-compliance

Common enforcement triggers

Compliance checklist

Audit all cookies on your website

Categorise each cookie

Implement a consent mechanism before non-essential cookies

Provide equal Accept and Reject options

Enable granular consent

Create a detailed cookie policy

Provide ongoing consent management

Test your implementation

Review when adding new services

Next steps

Official guidance

Related guides in Compliance & Legal

What counts as a cookie

Which cookies need consent

Strictly necessary cookies (no consent required)

Cookies that always require consent

DUAA 2025 changes to cookie consent

What to do now

Getting valid consent

What doesn't count as consent

Cookie banner requirements

Display banner before setting non-essential cookies

Explain clearly what cookies you use

Offer equally prominent Accept and Reject options

Allow granular choices

Link to your full cookie policy

Make it easy to withdraw consent later

Writing your cookie policy

Penalties for non-compliance

Common enforcement triggers

Compliance checklist

Audit all cookies on your website

Categorise each cookie

Implement a consent mechanism before non-essential cookies

Provide equal Accept and Reject options

Enable granular consent

Create a detailed cookie policy

Provide ongoing consent management

Test your implementation

Review when adding new services

Next steps

Official guidance