Mills & Reeve logo in purple text with a purple tagline: Achieve more. Together.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
04 Feb 2026
4 minutes read

What are the new rules on online tracking technologies such as cookies?

After a few years where data protection laws in the United Kingdom were settled, the Data (Use and Access) Act 2025 (DUAA) is ushering in a period of change.

For those of you who have only just recovered from the GDPR, the news that data protection laws are changing again may not be entirely welcome.

The good news is that many of the changes DUAA is bringing in are intended to make your life easier, rather than introducing complex new obligations and – while some things are changing – much remains the same.

This series of blogs from the IT and data team at Mills & Reeve aims to help you understand the impact that DUAA will have on established ways of doing things.

If you need a reminder about the meaning of some of the key data protection terminology used (eg, personal data, data subject, data controller, processing), please refer to our glossary

In this article, Mills & Reeve considers how DUAA changes the permitted approach to cookies and other tracking technologies and asks, “What are the new rules on online tracking technologies such as cookies?”

The position prior to DUAA

Before DUAA, organisations were only permitted to set cookies and other tracking/storage technologies on a user’s device without the user’s consent in the following situations:

  • Strictly necessary – where the use is strictly necessary for providing the service to the user (such as “essential” cookies).
  • Network communications – where the sole purpose is for transmitting communications over an electronic communications network.

Any other use of cookies or other tracking and storage technologies would still need the user’s informed consent before the technologies can be used.

Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) contained a general prohibition on the use of technologies (such as setting cookies) to store or access information on the device of a user unless:

  1. The user has been provided with “clear and comprehensive information about the purposes of the storage of, or access to, that information”.
  2. The user has given their consent.

So, what’s changing?

DUAA introduces a series of additional exceptions to the general prohibition that a business may rely on when setting cookies and similar technologies on a user’s device and gives the Secretary of State the power to make new changes to PECR that create new exceptions to the general prohibition under Regulation 6, or to vary or remove existing exceptions. The three new exceptions are as follows:

  • Statistical purposes – where the sole purpose is to collect information about how the service (or the website through which the service is provided) is used in order to improve the service (or its website) (for example, “analytics” cookies), provided that:
    • The information collected is not shared with any person except to enable them to help make the improvements.
    • The user is given “clear and comprehensive information” about the purpose.
    • The user is given a simple and free way to object or opt out – and doesn’t do so.
  • Website appearance/functionality – where the sole purpose is to enable or enhance the way the website functions or appears on the user’s device (for example, ‘functional’ cookies), provided that:
    • The user is given “clear and comprehensive information” about the purpose.
    • The user is given a simple and free way to object or opt out – and doesn’t do so.
  • Emergency assistance – where the sole purpose is to locate the user of a device in order to provide emergency assistance, and is a response to a communication from the device that either requests emergency assistance or indicates that the user needs emergency assistance (for example, emergency alert notifications on smart devices that monitor health information and trigger geolocation of the device when a user is in distress).

Even with the new exceptions, where information is collected and shared with third parties for advertising purposes (such as with targeting cookies), this will still be caught by the general prohibition and will still require user consent.

When are these changes coming into force?

5 February 2026.

The practical impact for businesses

Businesses should consider whether to audit their cookie compliance policies and practices (including cookie banners) to take advantage of the new exceptions (when they become lawful) and be comfortable that they are compliant with the applicable regulatory requirements. This may ultimately enable businesses to operate simpler processes and provide a smoother experience for their users. One possible way that business may do this is by shifting to a process of “notice and opt out” where the new exceptions permit.

The biggest practical impact for any businesses that operate within both the UK and the EU is that the changes created by DUAA represent a divergence between the regulatory approach to use of cookies in the two regions. As such, while some businesses may find it beneficial to take advantage of the UK’s new exceptions, others may find it easier to adopt a uniform cross-border approach to cookie consent that follows the stricter set of rules to which the business is subject.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.