What’s in the oven, or going stale with the UK’s cookies?

Why should I read this?

With the Information Commissioner’s Office (ICO) ramping up enforcement and the enactment of the Data Use and Access Act 2025 (DUAA), organisations need to reassess how they handle cookies and user consent.

We’ll cover:

• The ICO’s cookie compliance checks – The ICO’s expanded cookie compliance checks targeting the UK’s top 1,000 websites;
• The Data Use and Access Act (the “Act”) - The enactment of the Data Use and Access Act 2025(“DUAA”), which introduces significant changes to the e-privacy regime under PECR;
• Finally, the ICO’s ongoing consultation on its updated storage and access guidance. Time is running out to input into these proposed changes.

ICO cookie compliance checks

What’s happened?

• In a significant escalation, earlier this summer the ICO launched a new wave of cookie compliance checks, now targeting the UK’s top 1,000 websites. This follows its January 2025 announcement expressing concern over widespread non-compliance with UK GDPR and PECR cookie rules.
• The ICO’s focus includes:
• Whether non-essential cookies are set before valid user consent is obtained;
• Whether cookie banners offer a genuine and fair choice to reject non-essential cookies;
• The clarity and accessibility of cookie policies and settings;
• Evidence that organisations are responding to public complaints about cookie practices.

What should you do?

Whether you are in the top 1000 or not, you should check your cookies compliance by looking at your website cookies banner, cookies mechanisms on your mobile apps, the associated privacy notice and cookies policy and ensuring this reflects what is happening in practice. One of the key areas of complaint arises where non-essential cookies are firing prior to consent being obtained, or where there is a lack of information around what the cookies do, particularly where profiling or tracking is taking place.

Importantly: 

• Consent must be freely given, specific, informed and unambiguous for all non-essential cookies;
• Pre-ticked boxes or implied consent (e.g. “By using this site you accept cookies”) are not valid and the cookies banner must not follow a user around the website;
• Users must be given an equal opportunity to accept or reject non-essential cookies; and
• Clear, user-friendly information must be provided on the cookies used and their purpose.

The Data Use and Access Act 2025

What Has Changed?

The DUAA, enacted in June 2025, introduces a more nuanced approach to cookie consent. Under Schedule 12, consent is no longer required for certain low-risk non-essential cookies, including:

• Statistical and analytical cookies;
• Personalisation and functionality cookies.

However, organisations must still provide comprehensive information about these cookies and offer a clear option to object. This means that even if organisations have reviewed their cookies compliance recently as part of the ICO’s previous waves of checks, there may still be benefit to revisiting this again now that the DUAA has been enacted.

As a reminder this change is applicable to the UK only at this point.  The approach under the EEA member states’  implementation of the e-privacy directive (which is the source of the cookies rules) remains unchanged, at least for now. So careful consideration is needed when it comes to the measures required for adoption in practice.

Enforcement Update

• Previously, PECR breaches carried a maximum fine of £500,000. Under the DUAA, these breaches are now subject to UK GDPR-level penalties: up to £17.5 million or 4% of global annual turnover, whichever is higher.
• This change is expected to be a priority for the ICO, especially as the newly renamed Information Commission can now retain a portion of fines - potentially incentivising stricter enforcement.

What Should You Do?

• Reassess your digital marketing campaigns and approach to consent - complaints could now lead to significantly higher fines;
• Ensure consent is collected for technologies used to track ad performance or user behaviour (on both your website and your mobile apps);
• Review your website’s cookie usage and assess where consent is / is not still required under the new rules.

ICO Storage and Access Guidance Consultation

On 7 July, the ICO launched a public consultation on its updated guidance for storing and accessing information on user devices. This reflects the DUAA’s new exceptions under Schedule 12.

The guidance clarifies when cookies can be used without consent, provided the risk to user privacy is low.

Stakeholders are encouraged to submit feedback by 26 September 2025.

What’s the takeaway?

• The UK’s cookie regime is undergoing a refresh. With compliance checks, tougher enforcement, and developing guidance, organisations should try to keep up to date in this area by:
• Audit cookie practices;
• Understand the DUAA’s implications; and
• engaging with the ICO’s consultations.
• Because when it comes to cookies, stale practices could now come at a greater cost.

Further reading on cookies

• ICO’s summary of changes to Privacy and Electronic Communications by the Data Use and Access Act

• ICO consultation on a new chapter within the draft updated guidance on storage and access technologies (closing date: 26 September 2025)

• ICO’s current guidance on the use of storage and access technologies