Cookie Compliance Revolution: How DUAA 2025 Changes Everything

Jenny runs a small bakery in Manchester. When GDPR first came into force, she panicked and copied a cookie banner from a template website. Two years later, she discovered that her innocent-looking banner was breaking the law in several ways. Her family bakery website had unknowingly drifted out of cookie compliance and risked fines of up to £17 million. What began as a simple online presence had turned into a potential compliance nightmare.

Jenny’s story is far from unique. Many UK businesses, large and small, have faced confusion over cookie compliance. In January 2025, the Information Commissioner’s Office (ICO) assessed the top 200 UK websites and found that 134 of them failed to meet cookie compliance standards. These findings formed part of the ICO’s wider strategy to ensure users have meaningful control over how their personal information is tracked and used online. The regulator has since expanded its review to the top 1,000 websites, highlighting just how widespread the problem remains.

Against this backdrop, the introduction of the Data Use and Access Act (DUAA) 2025 marks a major turning point. This legislation reshapes cookie compliance and introduces new rules that will affect almost every UK business with an online presence.

The Cookie Compliance Crisis Explained

Cookies are small files that websites place on a user’s device. Some are essential, like those that keep you logged in, remember your shopping basket, or provide security settings. Others, such as tracking cookies, follow your behaviour across the internet and build detailed profiles, often sold to data brokers. The distinction matters because under UK GDPR and PECR, organisations must treat different categories of cookies differently.

Common cookie compliance failures include:

• Making it harder to reject cookies than to accept them
• Using pre-ticked boxes for non-essential cookies
• Giving vague or misleading explanations about cookie purposes
• Denying website access if users refuse tracking cookies

These issues have already triggered significant enforcement. LinkedIn received a €310 million fine from the Irish Data Protection Commission for unlawful data processing and transparency failures. WhatsApp was fined €5.5 million for forcing users to consent through its terms of service. Both cases underline how regulators treat cookie compliance as central to data protection law.

DUAA 2025: The Cookie Compliance Game Changer

The Data Use and Access Act 2025 rewrites cookie rules and expands exemptions for cookies that no longer require consent. Section 112 and Schedule 12 of DUAA insert a new Schedule A1 into PECR, creating broader categories of “strictly necessary” cookies. For businesses, this means some analytics and optimisation cookies may now operate without explicit consent — provided strict conditions are met.

Expanded Cookie Exemptions

Under DUAA 2025, consent is no longer needed for cookies used in the following scenarios:

1. Traditional Strictly Necessary Functions: security protection, fraud detection, technical fault prevention, user authentication, and maintaining website selections.

2. Analytics and Website Optimisation: statistical data collection, performance monitoring, and user behaviour analysis for service improvement.

3. User Experience Enhancement: adapting websites to user preferences, optimising functions across devices, and improving interface elements.

4. Emergency Assistance: geolocation data for emergency services and facilitating critical communications.

The Conditions for Cookie Compliance

The DUAA exemptions do not create a free-for-all. Paragraph 5 of Schedule A1 sets out strict conditions. To qualify, analytics and optimisation cookies must serve only statistical or improvement purposes. They cannot be shared with third parties other than technical service providers. Organisations must also provide clear and comprehensive explanations of cookie use and give users a free, simple objection mechanism. In practice, this means exempt cookies may operate by default, but only until a user objects.

What This Means for Businesses

The DUAA 2025 introduces a new middle ground between essential cookies and invasive tracking cookies. Businesses gain flexibility but must adopt higher transparency standards. Compliance now requires action on several fronts:

• Audit existing cookies against the new exemption categories
• Update privacy policies with clear, specific language about cookie purposes
• Introduce simple objection mechanisms for exempted cookies
• Document compliance processes for potential ICO review
• Separate exempt cookies from non-exempt ones in technical design

Achieving cookie compliance costs far less than regulatory fines. ICO penalties under PECR and GDPR can range from £10,000 to £500,000, not including reputational damage. Compliance is not optional, it’s the smarter business decision.

The Impact on Users

For users, DUAA 2025 reduces banner fatigue while strengthening transparency. People should expect clearer explanations of cookie functions, simple objection rights, and better website performance from legitimate optimisation. But vigilance remains important. The line between analytics and tracking is thin, and some organisations may attempt to misuse exemptions. Users must continue exercising their rights to object.

The New Enforcement Focus

Regulators will adapt their focus in the DUAA 2025 era. They will check whether exempt cookies genuinely serve their stated purposes, whether transparency is truly clear, whether objection mechanisms work, and whether data remains in-house. Cookie compliance enforcement will target organisations that attempt to stretch exemptions or obscure practices. In other words, businesses cannot use DUAA as cover for old habits.

Looking Forward: The Future of Cookie Compliance

DUAA 2025 represents a pragmatic shift in cookie regulation. It recognises that not all data collection undermines privacy. Some analytics genuinely improve websites for users. But businesses must meet stricter transparency obligations to stay compliant. For many, this will mean investing in clearer communication and more robust governance.

At Data Protection People, we believe cookie compliance in 2025 will separate organisations that embrace transparency from those that cling to outdated practices. Businesses that adopt open, user-focused cookie strategies often see stronger loyalty and better conversion rates than those that rely on manipulation.

For users, rights remain strong. People can still object to cookies they don’t want, and regulators will hold businesses accountable for misuse. The cookie chaos of the past is giving way to a more balanced, transparent model but only if organisations play by the rules.

References & Guidance

• UK GDPR: Information Commissioner’s Office (ICO) Guide – https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/
• PECR Guidance on Cookies
• DUAA 2025: Sections 112 & Schedule 12 – https://www.legislation.gov.uk/ukpga/2025/18/section/112
• https://www.gov.uk/government/publications/data-use-and-access-act-2025-factsheets/data-use-and-access-act-factsheet-pec-regulations?utm_source=chatgpt.com

Contact Us

If you’re unsure whether your website meets the new cookie compliance standards, contact us for a GDPR Audit. Our experts can help you review cookies, update policies, and implement objection mechanisms. We also offer Data Protection Support and Training to keep your team ahead of regulatory changes. Don’t wait for an ICO review, take action now and secure your compliance.