DUA Act and the 5 cookie exceptions

July 2025

The Data (Use & Access) Act 2025 ushers in changes meaning organisations will be able to use cookies and other tracking technologies for more activities without the requirement to collect consent.

Essentially DUAA rewrites Regulation 6 of the Privacy and Electronic Communications Regulations (PECR). The one existing exception to consent for strictly necessary cookies is joined by four more. And there’s time to plan, as these provisions have yet to take effect.

Helpfully, the ICO has already added a new section on the exceptions to its draft Guidance on Storage and Access Technologies (previously known as Cookie Guidance).

Just for ease, whenever I refer ‘cookies’ in this article, I mean cookies and similar technologies, including tracking pixels, navigational tracking, web storage, fingerprint techniques, plug-ins, scripts, tags and any other storage and access technologies. For more detail see the draft ICO guidance: what are storage and access technologies.

Of note. With some (but not all) of the exceptions you’ll still need to give people clear and comprehensive information, and give people and easy way to object.

The 5 cookie exceptions

The ICO makes it clear an exception will only apply if your use of ‘cookies’ aligns with the purposes and requirements of that exception. It’s stressed: “If your usage go beyond these, you must get consent”.

Here’s a quick snapshot of the exceptions…

1. Communication exception

This applies when the sole purpose of ‘cookies’ is for the transmission of a communication. To rely on this exception you’ll need to meet specific criteria and the ICO says you “must ensure that the transmission of the communication is impossible without the use of particular storage and access technology”.

The ICO gives two examples device fingerprinting techniques, solely for network management purposes and session cookies for load balancing purposes, with the sole purpose of identifying which server in the pool the communication will be directed to.

2. Strictly necessary exception

This existing exception applies when your purpose is essential to provide a service which a subscriber or user requests. In other words, on a technical level the service can’t be provided without the use of ‘cookies’. PECR itself lists some examples of activities that meet this exception:

ensuring the security of terminal equipment;
preventing or detecting fraud;
preventing or detecting technical faults;
authenticating the subscriber or user; and
recording information or selections the user makes on an online service.

The ICO says this exception would apply to remember the goods a user wishes to buy when they go to the online checkout or add goods to their shopping basket. BUT would not apply to cross-device tracking, online advertising or social media plugs-ins.

3. Statistical purposes exception

This applies when the sole purpose of ‘cookies’ is to collect information for statistical purposes about how an online service is used with a view to making improvements. Or how a website (by means of which a service is provided) is used, again with a view to making improvements.

This exception applies if you’re an Information Society Service (ISS) and your statistical purposes are about the use of your service. (The ICO’s Children’s Code gives a definition and examples of ISS).

The ICO’s draft guidance stresses; “it is not a broad exception that covers all types of analytics technologies or ways you can use them. It is about how your service is used, not about who uses it. It is not for identifying, tracking or monitoring people or groups of people who use your service. It also doesn’t apply to things like online advertising.”

The ICO says this exception would apply to total visits to your website, page-by-page (eg for traffic analysis to understand users journeys).

Transparency and an opt-out

While consent won’t be needed it will still be necessary to provide clear and comprehensive information about the ‘cookies’ deployed AND give users a ‘simple and free’ mean to object i.e. opt-out.

Can we use third party analytics providers?

The ICO says it would be permitted to use third-party analytics services, with a big caveat; “you must ensure that the third party only assists you in achieving your purpose”.

Any third-party analytics providers must act on your behalf and not use the data for their own purposes. In other words, they must be a processor, not a joint or separate controller. Among other matters this means making sure you have:

clarified your role (as a controller) and that of your analytics provider (as a processor)
considered any international data transfers
appropriate terms in place (e.g. a Data Processing Agreement).

4. Appearance exception

This applies when your sole purpose is to adapt the way your service appears or functions in line with the subscriber or user’s preferences.

The ICO says this exception would apply to remembering the language the subscriber or user selects (eg on a multilingual website). But would not apply to changing the content you display to a user on your service based on known or inferred interests or behaviours about them.

Transparency and an opt-out

When relying on this exception you must provide clear and comprehensive information about the cookies deployed AND give users a ‘simple and free’ mean to object i.e. opt-out.

5. Emergency assistance exception

This applies if your sole purpose is to identify the geographical position of a subscriber or user’s device/s to provide emergency assistance. It specifically allows you to use information about someone’s location, and includes using GPS-based location information from smartphones, tablets, sat-navs and other devices. For the exception to apply the ICO says the subscriber or user needs to have requested emergency assistance.

For full details and other examples see the ICO’s draft guidance: what are the exceptions.

What this means in practice

This does not mark an end to the cookie banner and consent mechanisms. However, it will allow organisations to reconfigure their Consent Management Platforms (CMPs). If you rely on an exception you will now be able to drop a ‘cookie’ on a user’s device without needing to gain consent. You still need to be mindful of transparency and opt-out requirements.

However, organisations operating beyond the UK still need to consider differing rules in other jurisdictions.

What steps can we take now?

We’d advise conducting a cookie review; identify, analyse and categorise. Assess your current approach, and whether these changes will give you an opportunity to simplify or re-design your CMP. You can start working on how this will look moving forward.

What about ad tech?

None of the above changes affect the ad tech eco-system. For online advertising, consent remains a requirement. However, the Information Commissioner has indicated he will adopt “a risk-based approach to enforcing PECR”. The Regulator is currently reviewing PECR consent requirements to “enable a shift towards privacy-preserving advertising models”.

A statement is anticipated later this year on ‘low risk’ advertising activities which are unlikely to cause harm or trigger enforcement action. See the ICO’s package of measures to drive economic growth.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.