Cookie rules in the UK sit in PECR, the privacy and electronic communications rules, alongside the UK GDPR. The Data (Use and Access) Act 2025 changed two things that matter: it relaxed consent for some cookies, and it made getting cookies wrong far more expensive.
What changed
- Lighter consent for low-risk cookies. You no longer need consent for certain low-risk uses, such as audience measurement and analytics, keeping a service secure, or remembering someone’s settings, as long as you tell people clearly and give an easy way to opt out.
- Much bigger fines. Penalties under PECR now match the UK GDPR: up to £17.5 million or 4% of worldwide annual turnover, against a previous cap of £500,000.
What did not change
Advertising and tracking cookies, and anything that builds a profile of someone or shares data with third parties for ads, still need consent. So the banner is not going away; it is getting more focused. The point is to stop asking for consent you do not need, not to drop consent where it is still required.
What to do
- List your cookies. You cannot categorise what you have not found. Check the site and any embedded tools.
- Sort them into buckets. Strictly necessary, low-risk (analytics, functional), and advertising or tracking.
- Update the banner. Load the low-risk ones with clear information and an opt-out; keep a genuine consent choice for advertising and tracking.
- Write it down. Keep a short record of what you set and why, so you can show your reasoning.
For the wider picture of what the Act changed across UK data protection, see our plain-English guide to the DUAA.