Clifford Chance

This is part six of our series of articles on the UK's Data (Use and Access) Act 2025 (DUA Act) - Click on the links to read the other parts.

• Overview
• Framework for smart data schemes
• Digital Verification Services Framework
• Changes to UK data protection laws
• Enforcement and regulatory engagement
• Other provisions

We have also published a comprehensive PDF bringing all these together in one document for you to read and share.

Cookies, trackers and security patches

Provision for low-risk cookies and trackers

The DUA Act introduces new provisions that clarify and expand the circumstances in which consent for cookies under PECR will not be required. At present, PECR requires consent for storage of, or access to, information within terminal equipment (e.g., phones, browsers) via cookies, trackers and similar technologies. Currently, PECR provides an exception for cookies that: (a) are "strictly necessary" for the user or subscriber to receive the service they have requested from the service provider; or (b) have the sole purpose of transmission of a communication across a network.

Under the DUA Act, the circumstances in which it will not be necessary to obtain such consent to store or access information include:

• statistical / analytics cookies – that gather information about how a website or digital service is used with a view to making improvements to the website or service (subject to information provision and the ability to object);
• personalisation / appearance cookies – that automatically authenticate a repeat user of a digital service or repeat visitor to a website and/or maintain a record of settings or preferences that the user has set to save the user the effort of setting those settings or preferences each time they return (subject to information provision and the ability to object);
• strictly necessary cookies – the DUA Act clarifies that cookies that are strictly necessary to provide a service requested by the user include, for example, the following use cases: (i) preventing or detecting fraud in connection with providing the service; (ii) preventing or detecting technical faults when providing the service; or (iii) automatically authenticating the identity of the user; and
• other cookies – cookies to find the geolocation of the user of a device to provide emergency assistance to the individual.

While taking advantage of these exemptions in the UK could provide a more streamlined user experience and reduce consent requests, as well as making it easier to roll out security-related software updates, implementing a separate system for the UK to that used for the rest of Europe could lead to increased complexity and operational costs. These factors would need to be weighed in any operational decision to take advantage of the exemptions.