Is your cookie banner compliant with the latest UK rules?

Cookie banners are now a familiar, and sometimes irritating, part of using the internet. However, not all are compliant, particularly with the new rules which came into effect earlier this year.

The Data (Use and Access) Act 2025 (DUAA) amended the rules regarding cookies under the Privacy and Electronic Communications Regulations (PECR), which came into force on 5th February 2026. The ICO updated its guidance on 29th April 2026 regarding the changes to cookie laws under the DUAA.

What are cookies?

Cookies are small text files created by a web server when replying to a website request. The user’s device stores cookies and returns the information when another request is made to that web server.

Cookies are used to increase the efficiency of a website’s operation and to inform the website operator. Uses of cookies include:

• Recognising a user’s device;
• Recalling the contents of a basket during online shopping;
• Helping users log in to a website;
• Examining traffic to a website; or
• Tracing users’ browsing behaviours.​​

What has changed?

Before the DUAA, organisations could not use cookies to store or access information on a user’s device unless the user had given consent and had been given clear and comprehensive information about the purposes of the storage. Organisations could only set cookies on a user’s device without the user’s consent where cookie use was strictly necessary for providing the service to the user (“essential” or “strictly necessary” cookies) or where the sole purpose was to transmit communications over an electronic communications network.

From 5th February 2026, the DUAA adds additional “low risk” cookies to those for which consent is not needed. Consent is now also not needed for cookies used for the following additional purposes:

1. Appearance - to ensure correct website appearance or functionality;
2. Statistical purposes - to collect aggregate statistical information for service improvement; and
3. Emergency assistance - to locate the device user to provide emergency assistance.  

For the statistical purpose and appearance exceptions, organisations must still give clear and comprehensive information about the purpose of the tracking and provide a simple and free means to object to the use of cookies.

These new exceptions will not apply if information is collected and shared with third parties for advertising. For this, user consent will still be needed.

What do compliant cookie banners look like

Compliant cookie banners typically include the following:

Clear information: The banner should concisely state the cookies’ purpose and link to a cookie policy that contains detailed information on the cookie types in use, their purposes, and any third parties involved.

Consent mechanism: Users must have the option of accepting or rejecting cookies; for instance, a pop-up window or sliding toolbar allowing users to select their cookie preferences by category (such as essential, analytics, marketing). Pre-ticked boxes or using the website without taking an action (implied consent) are not acceptable. The consent mechanism must function across all devices and browsers.

Affirmative action: Consent must be gained through a positive action, such as pressing an “Accept” button. Silence or inactivity is not valid consent.

Accessibility: The banner should be accessible to all, including users with disabilities, to meet the requirements of the Equality Act 2010 and other applicable accessibility regulations.

What do non-compliant cookie banners look like?

An example of a non-compliant cookie banner would be one that:

• Does not provide users with an equally clear and prominent option to reject cookies as it does to accept them;
• tries to guide users towards accepting cookies by, for instance, having a more accessible ‘accept all’ button than a ‘reject all’ button;
• offers ambiguous options, such as sliders for cookie preferences that are not distinctly labelled as ‘on’ or ‘off’; or
• has settings pre-set to accept cookies.

Non-compliance with cookie banner requirements under PECR 2003 and the UK GDPR can result in stringent penalties. Under the DUAA, the maximum fine for breach of cookie and electronic marketing rules has been increased from £500,000 to £17.5m or 4% of global annual turnover (whichever is greater).

Next steps for UK organisations

Organisations should take the following steps following the recent changes:

• Check that any current cookie banner is compliant and if changes are needed to cover the new exceptions, such as removal of consent for any cookies which now no longer require it;
• Update records of processing to record any changes in the use of cookies, including categories, retention periods, and recipients; and
• Check whether data privacy impact assessments (DPIAs) are needed and put these in place where analytics or tracking cookies substantially affect data subjects.

If we can assist with drafting your cookie banners or policies, or if you have any questions, please get in touch with our Commercial Technology team at [email protected].