Share
Relevant DUA Act Provisions: Part 5 Chapter 2 (Sections 105–108), amending PECR; and Section 155 of the DPA 2018
The DUA Act introduces key amendments to the Privacy and Electronic Communications Regulations 2003 (PECR), especially concerning consent exemptions for cookie usage and increased enforcement powers for the ICO.
- Cookie consent exemptions, Regulation 6 PECR: The DUA Act expands the list of cookie uses that may be exempt from the prior consent requirement under Regulation 6 (1) of PECR. In addition to strictly necessary cookies, consent is no longer required where cookies or similar technologies fall within the newly introduced categories of low-risk processing, provided they are strictly necessary for one of the specified exempted purposes under amended Regulation 6(1) PECR:
- Statistical/analytics purposes to improve the service.
- System security or fraud detection.
- Enhancing service functionality or tailoring user interfaces.
- Software updates or to improve user experience.
- Detecting faults or technical errors in a service.
Controllers must still assess whether cookie use is strictly necessary and that the privacy impact does not require user consent under the proportionality test.
These new exemptions reflect a shift to a risk-based approach, aimed at reducing unnecessary consent prompts (leading to “cookie fatigue”) while preserving user protection where risks are higher.
- Expansion of the soft opt-in regime – Regulation 22 PECR: Importantly, the DUA Act also amends Regulation 22 of PECR to extend the soft opt-in rule, previously limited to commercial organisations, to non-commercial entities, such as charities, political parties, and non-profits. These entities may now send direct marketing by email or text without prior opt-in if:
- The recipient’s contact details were obtained during a previous interaction.
- The marketing relates to similar activities or causes.
- A clear opportunity to opt out is provided at the point of data collection and in every subsequent message.
- Enhanced enforcement powers, Section 155 DPA 2018: Crucially , the DUA Act aligns the ICO’s enforcement powers under PECR with the UK GDPR fining regime. Section 155 of the DPA 2018 is amended to permit the ICO to impose administrative fines for PECR infringements of:
- Up to £17.5 million or 4% of global annual turnover for the most serious breaches.
- Up to £8.7 million or 2% of global turnover for lesser infringements.
This change closes a long-standing enforcement gap between the DPA 2018 and PECR. Previously, PECR violations were capped at £500,000, regardless of company size or global revenue, undermining deterrence. The new regime brings regulatory parity and enhances the ICO’s powers to regulate digital advertising, tracking, and spam.
Divergence
This reform diverges from the EU’s ePrivacy Directive regime, where consent remains the default requirement for most non-essential cookies and direct marketing, and enforcement powers vary by Member State. The UK’s risk-based exemptions and higher fines reflect a UK-specific recalibration that may reduce compliance burdens but create interoperability frictions for global platforms.
ICO commentary
The ICO has welcomed the DUA Act’s modernisation of PECR, stating that the reforms “bring PECR’s enforcement regime in line with the GDPR” and enable it to respond more effectively to contemporary digital threats. The ICO also signalled support for the cookie consent exemptions, provided they are applied transparently and limited to genuinely low-risk use cases. Further clarity is expected in summer 2025, when the ICO will publish draft guidance on the DUA Act’s amendments to storage and access technologies. This guidance is anticipated to clarify how the revised Regulation 6 exemptions should be interpreted and operationalised in practice. The ICO also plans to publish a more general update of the guidance on Direct Marketing and Privacy and Electronic Communications to include amendments from the DUA Act.
Recommendations
- Conduct a full audit of cookies, software development kits (SDKs), and similar technologies, especially for analytics or personalisation.
- Review whether analytics or functional cookies may qualify for the new exemption under Regulation 6(1) PECR taking into account whether their use is strictly necessary, low risk, and meets the proportionality threshold
- Update cookie consent banners, cookie policies, and internal documentation accordingly.
- Implement robust opt-out mechanisms for soft opt-in direct marketing and ensure clarity for non-commercial organisations (e.g. charities and political parties) apply the updated rules under Regulation 22 PECR.
- Reassess enforcement risk exposure in light of the ICO’s expanded sanctioning powers and update internal PECR compliance programs for digital marketing and tracking technologies. accordingly.
|
This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: 1. Recognised Legitimate Interests (RLIs) |
United Kingdom