The UK DUA Act’s Reform Pillars: Divergence from the EU GDPR - Cookies and PECR Reform

Relevant DUA Act Provisions: Part 5 Chapter 2 (Sections 105–108), amending PECR; and  Section 155 of the DPA 2018

The DUA Act introduces key amendments to the Privacy and Electronic Communications Regulations 2003 (PECR), especially concerning consent exemptions for cookie usage and increased enforcement powers for the ICO.

• Cookie consent exemptions, Regulation 6 PECR: The DUA Act expands the list of cookie uses that may be exempt from the prior consent requirement under Regulation 6 (1) of PECR. In addition to strictly necessary cookies, consent is no longer required where cookies or similar technologies are deemed “low-risk” and necessary for:
  • Statistical/analytics purposes to improve the service.
  • System security or fraud detection.
  • Enhancing service functionality or tailoring user interfaces.
  • Software updates or to improve user experience.
  • Detecting faults or technical errors in a service.

These new exemptions reflect a shift to a risk-based approach, aimed at reducing unnecessary consent prompts (leading to “cookie fatigue”) while preserving user protection where risks are higher.

• Expansion of the soft opt-in regime – Regulation 22 PECR: Importantly, the DUA Act also amends Regulation 22 of PECR to extend the soft opt-in rule, previously limited to commercial organisations, to non-commercial entities, such as charities, political parties, and non-profits. These entities may now send direct marketing by email or text without prior opt-in if:
  • The recipient’s contact details were obtained during a previous interaction.
  • The marketing relates to similar activities or causes.
  • A clear opportunity to opt out is provided at the point of data collection and in every subsequent message.

• Enhanced enforcement powers, Section 155 DPA 2018: Crucially , the DUA Act aligns the ICO’s enforcement powers under PECR with the UK GDPR fining regime. Section 155 of the DPA 2018 is amended to permit the ICO to impose administrative fines for PECR infringements of:
  
  • Up to £17.5 million or 4% of global annual turnover for the most serious breaches.
  • Up to £8.7 million or 2% of global turnover for lesser infringements.

This change closes a long-standing enforcement gap between the DPA 2018 and PECR. Previously, PECR violations were capped at £500,000, regardless of company size or global revenue, undermining deterrence. The new regime brings regulatory parity and enhances the ICO’s powers to regulate digital advertising, tracking, and spam.

Divergence

This reform diverges from the EU’s ePrivacy Directive regime, where consent remains the default requirement for most non-essential cookies and direct marketing, and enforcement powers vary by Member State. The UK’s risk-based exemptions and higher fines reflect a UK-specific recalibration that may reduce compliance burdens but create interoperability frictions for global platforms.

ICO commentary 

The ICO has welcomed the DUA Act’s modernisation of PECR, stating that the reforms “bring PECR’s enforcement regime in line with the GDPR” and enable it to respond more effectively to contemporary digital threats. The ICO also signalled support for the cookie consent exemptions, provided they are applied transparently and limited to genuinely low-risk use cases .

Recommendations

• Conduct a full audit of cookies, software development kits (SDKs), and similar technologies, especially for analytics or personalisation.
• Review Regulation 6(1) PECR exemptions and determine whether current practices now qualify as low-risk.
• Update consent banners, cookie policies, and documentation accordingly.
• Implement robust opt-out mechanisms for soft opt-in direct marketing and ensure clarity for non-commercial users.
• Reassess enforcement risk exposure in light of the ICO’s expanded sanctioning powers and update internal PECR compliance programs accordingly.

 

This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: Recognised legitimate interests (RLIs) Purpose limitation Automated decision-making (ADM) Data subject access requests (DSARs) Complaints handling Law enforcement and national security Age appropriate design code (AADC or Children’s Code) Scientific, historical and statistical purposes International data transfers Cookies and PECR Reform Information Commissioner’s Office (ICO) Reform Codified convergences with EU Law