UK cookie rules 2026: what the DUAA lets marketers track
15 July 2026 · Consent & privacy · News

Last updated: 13 July 2026. This article is general information for marketers, not legal advice. If you're making compliance decisions for your business, speak to a qualified adviser.
For about fifteen years, UK marketers have all heard the same instruction: every cookie needs consent, so every site needs a banner. In February 2026 that quietly stopped being true for one specific type of tracking. Hardly anyone in marketing noticed, because the announcements were written by law firms, for compliance teams, in language most of us skim and forget.
It's worth your attention, because the change cuts both ways. Some tracking you've been hiding behind a banner no longer needs consent. Other tracking you might assume is now fine still isn't. And the maximum penalty for getting it wrong just went up thirty-five times over.
Here's what changed, what didn't, and what to do about it.
TL;DR: Since 5 February 2026, the Data (Use and Access) Act lets UK sites run first-party analytics cookies without a consent banner. But attribution and advertising cookies still need opt-in, and the ICO can now fine up to £17.5m or 4% of global turnover, up from £500k. Here's what that means in practice.
What actually changed on 5 February 2026?
The main data protection provisions of the Data (Use and Access) Act 2025 came into force on 5 February 2026 (DLA Piper, 2026). The headline change for marketers: first-party analytics cookies used purely for statistical purposes no longer need consent (Stevens & Bolton, 2025).
The Data (Use and Access) Act 2025, usually shortened to the DUAA, is the UK's big post-Brexit update to its data laws. It amends three things at once: the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, better known as PECR. PECR is the law behind cookie banners, and it's the piece that matters here.
Until February, PECR said you needed consent to store or access anything on a visitor's device unless it was strictly necessary. Analytics never counted as strictly necessary, so into the banner it went. The DUAA adds new exemptions, and the biggest one covers first-party analytics: cookies that collect statistical information about how your own site is used, so you can improve it (Stevens & Bolton, 2025; Clifford Chance, 2026).
There are strings attached, though. The data has to be collected for statistical purposes only and used only by you as the website operator. You have to give visitors clear and comprehensive information about what the tracking is for. And you have to offer a simple way to object, free of charge.
One scope note before the table: PECR's "storage and access" rules cover localStorage, tracking pixels, scripts and tags, and device fingerprinting as well as cookies (ZwillGen, 2026). So the same logic applies whatever your stack happens to use.
| Cookie purpose | Before 5 Feb 2026 | Now |
|---|---|---|
| Strictly necessary (checkout, security, load balancing) | Exempt | Exempt |
| First-party analytics (aggregate statistics) | Consent required | Exempt, with clear notice and a free-of-charge right to object |
| Third-party analytics that share data for the provider's own use | Consent required | Consent required |
| Advertising and remarketing (Google Ads, Meta pixel) | Consent required | Consent required |
| Cross-site tracking and ad personalisation | Consent required | Consent required |
Do you still need a cookie banner?
For most marketing teams, yes. The exemption is deliberately narrow. It frees first-party statistics, not the advertising stack, and a single Meta pixel or Google Ads remarketing tag keeps you firmly in consent territory (Stevens & Bolton, 2025).
What can plausibly move out from behind the banner:
- Counting page views, sessions and visitors on your own site
- Aggregate traffic sources, like "40% of visits came from organic search" (but not which visitor)
- Browser, device and screen-size breakdowns
- Where people drop off on the way through your site
What still needs opt-in consent:
- Third-party advertising cookies of any kind
- Remarketing and audience building (Google Ads, Meta, LinkedIn)
- Cross-site tracking and ad personalisation
- Anything where a platform receives your visitors' data for its own purposes
A quick test: does any tag on your site send data to an ad platform? If yes, the banner stays.
There's a design consequence too. Even exempt analytics needs clear and comprehensive information and a free way to object, so for a lot of sites the banner shrinks rather than disappears. Think slim notice with an analytics opt-out, and a proper consent prompt saved for advertising.
As for Google Analytics: whether a stock GA4 setup fits the exemption is genuinely debatable. We cover it in the FAQ below.
The catch for lead tracking: analytics isn't attribution
In our reading, the new exemption covers counting visits, not connecting an individual lead to the ad they clicked. Per-lead attribution still needs consent. No law-firm briefing we've seen spells this out for lead generation teams, and it's exactly where marketers are most likely to overreach.
Aggregate statistics answer questions like "how many visits came from Google last month?". The exemption exists for precisely that: statistical information about how your service is used (Stevens & Bolton, 2025). Attribution answers a different question: "which click did this specific lead come from?". Answering it means storing an identifier on one person's device, holding onto it across their whole journey, and joining it to a form fill with a name and email attached.
That's not "statistical purposes" any more. You're processing an identifiable person's data to evaluate them individually, which is a different purpose with different rules. Consent still required. To be clear, this is our interpretation of the new exemption, not settled law, and as far as we know the ICO hasn't published a worked example for lead attribution yet.
So if someone tells you the DUAA made lead tracking consent-free, be suspicious. It didn't. If you care about which channel actually produced each lead, you still need an opt-in, and you still need tooling that behaves sensibly when consent is refused.
What are the new fines, and is the ICO actually enforcing?
PECR fines jumped from a £500,000 cap to UK GDPR levels: up to £17.5m or 4% of global annual turnover (Mayer Brown, 2025). Thirty-five times the old maximum. Cookie compliance just went from a nuisance to a board-level risk.
Is the ICO actually using its new teeth? Increasingly, yes. Its cookie compliance drive reviewed the UK's top 1,000 websites, and by December 2025, 979 were compliant while 17 had received preliminary enforcement notices (ICO, 2025). The regulator then finalised its updated storage and access technologies guidance on 29 April 2026 (ICO, 2026), which largely removes the "rules were unclear" defence.
Let's be honest about the odds, though. We're not aware of any headline cookie fines against small UK businesses yet. The pattern so far is notice first, penalty later. But the sequence is a familiar one: biggest sites first, guidance finalised, then attention moves down-market. Better to fix your consent setup before a letter arrives, not after.
What should you actually do this quarter?
Five jobs: audit your tags, reclassify genuine analytics, keep consent where it's still needed, fix your consent wiring, and write your decisions down. None of them needs a lawyer to get started, and the exemption's conditions (Stevens & Bolton, 2025) hand you the checklist.
- Audit every tag by purpose. List every cookie, script and pixel, then label each one: strictly necessary, first-party statistics, or advertising and attribution. Most of the surprises live in old tag managers.
- Reclassify genuine first-party analytics. If a tool collects purely statistical data and shares nothing with third parties, it can come out from behind the consent wall. Add clear notice and an easy objection route first.
- Keep consent for ads and attribution. Remarketing tags, conversion pixels and per-lead tracking stay behind opt-in, whatever the headlines say.
- Fix your consent-mode wiring. When a visitor refuses consent, your paid reporting should fall back to aggregate numbers rather than silently break. Test the refusal path, not just the accept path.
- Document your reasoning. A dated note explaining why each tag sits where it does is cheap insurance if the ICO ever asks.
Will this really take a whole quarter? For most small teams it's a focused week. The rest is retesting, stakeholder questions, and the one tag everyone forgot about.
Still to come
The DUAA isn't finished rolling out, and the ICO's position will keep evolving. Since 19 June 2026, organisations have also had to acknowledge data protection complaints from individuals within 30 days (SI 2026/82), which puts a clock on how you respond when someone challenges your tracking.
The government can also adjust the cookie exemptions through secondary legislation (a new Regulation 6A lets the Secretary of State add or vary exceptions after consulting the ICO), so the consent-exempt list could grow (Blake Morgan, 2025). Keep an eye on ICO guidance updates too, especially anything touching analytics configuration or attribution.
We'll update this post as new guidance lands. The "last updated" date at the top is your freshness check.
The bottom line
- First-party, statistics-only analytics can now run without consent, provided you give clear notice and an objection route (Stevens & Bolton, 2025).
- If you run any advertising or remarketing tags, your banner stays.
- Per-lead attribution was never made consent-free. Analytics isn't attribution.
- The stakes went up sharply: fines of up to £17.5m or 4% of turnover (Mayer Brown, 2025).
- Audit, reclassify, document. A week of work now beats an enforcement letter later.
We built Trackfully consent-first before any of this moved: it captures nothing about a visitor until they opt in. If you want lead tracking that works that way by default, see how consent-gated tracking works or the features overview.
FAQ
Do I still need a cookie banner for Google Analytics in the UK?
It depends on configuration. Genuinely first-party, statistics-only analytics can qualify for the exemption (Stevens & Bolton, 2025). But default GA4 setups often share data with Google and feed its advertising features, which goes beyond statistical purposes. Strip the setup back, or keep the consent prompt.
What are the PECR fines in 2026?
Up to £17.5m or 4% of global annual turnover, since the DUAA aligned PECR penalties with the UK GDPR (Mayer Brown, 2025). The previous cap was £500,000. The ICO issues preliminary enforcement notices before fines, so warnings usually come first.
Does the DUAA make lead tracking consent-free?
No, in our reading. The exemption covers aggregate, first-party statistics about how your site is used. Matching an individual lead to the specific click or campaign that produced them is a different purpose, involving an identifiable person, and it still needs consent. Treat vendors claiming otherwise with caution.
When did the DUAA cookie changes take effect?
The main provisions, including the analytics exemption, commenced on 5 February 2026 (DLA Piper, 2026). The ICO finalised supporting guidance on 29 April 2026 (ICO, 2026), and the complaint acknowledgement duty followed on 19 June 2026 (SI 2026/82).