Data Use and Access Act (DUAA) in the UK

On 19 June 2025 new legislation - Data Use and Access Act - received a Royal Assent and brings changes to the DPA Act 2018, UK GDPR and PECR.

It is still under the implementation and some provisions will come into force in one year.

The main changes which I like to discuss concern the PECR, namely the use of cookies.


Before DUAA

Websites need  consent to store or access information such as cookies on device. However, under PECR there were two exceptions where consent is not required:

  • communication exception, and
  • strictly necessary exception.

Important: Even though the consent is not required, the user must be provided with:

  • simple, complete details on how the technology is being used, and
  • a straightforward way to object to that use.

Communication Exception

The communication exception allows cookies to operate without explicit consent, provided they are strictly necessary to transmit a communication over an electronic network. In essence, this exception recognises that some technical processes are inherent to the act of sending or receiving information and cannot be separated from the communication itself.


Requirements for Transmission

For a message or data exchange to occur between two devices on a network, three technical capabilities must be in place:

  • Endpoint identification and routing
    Devices must be able to find and direct information to one another. This involves recognising the sender’s and receiver’s addresses (IP addresses, ports, or other identifiers) and ensuring packets travel along the correct path.
  • Ordered data exchange
    Messages are often split into multiple packets. The network must reassemble these packets in the intended sequence to reconstruct the original information accurately.
  • Error and loss detection
    Protocols must detect and sometimes correct any lost or corrupted packets, ensuring integrity and completeness of the transmitted data.

Scope of the Exception

The communication exception applies only when a storage or access mechanism satisfies one or more of the requirements above and is used solely to facilitate that transmission. It does not extend to analytics, advertising, or personalisation functions.


Necessary Use Condition

To rely on the exception, controllers must demonstrate that the transmission could not occur or would be fundamentally impaired without the specific technology (e.g., a session cookie to maintain state between pages). If alternative methods exist that would achieve the same transmission without storing data on the user’s device, consent is required.


Examples

  • A session cookie that retains your login state as you navigate between pages (ensuring ordered data exchange and endpoint continuity).
  • A security token stored temporarily to protect against cross-site request forgery (facilitating error detection by validating each request).
  • A load-balancing cookie that assigns your connection to a particular server to maintain reliable packet routing under high traffic.

Strictly Necessary Exception

The strictly necessary exception allows cookies to operate without consent when they are indispensable to delivering the online service the user explicitly requested, provided all of the following conditions are met:

  • The technology is essential for the technical provision of the information society service (ISS). Without it, core functionalities, such as maintaining session state or preserving form inputs during a multi-step process, would not operate correctly.
  • Use of the technology may also be necessary to meet binding legal requirements (for instance, security measures mandated by data protection regulations). However, this applies only if no alternative, less intrusive method can achieve the same compliance.
  • The determination of necessity must reflect the requirements of the user. Technologies employed solely for provider benefit, such as advertising cookies, fall outside the exception.

Demonstration of Strict Necessity

  • Documentation or testing must confirm that disabling the specific technology compromises the intended service functionality or legal compliance.
  • An evaluation of possible server-side or in-memory solutions must show that no viable substitute exists without degrading service performance or security.

Examples

  • Ensuring the security of terminal equipment.
  • Preventing or detecting fraud.
  • Preventing or detecting technical faults.
  • Authenticating the subscriber or user.
  • Recording information or selections the user makes on an online service.

After DUAA

The DUAA provides two more exceptions to the PECR:

  • statistical purpose exception, and
  • appearance exception.

Statistical Purpose Exception

It allows an online service to store or access data on a user’s device without prior consent, provided that the only objective is to gather aggregate information to improve that service. Rather than permitting broad analytics or profiling, this exception is narrowly tailored to non-identifying measurements of how a website or app is used.

Although it may be necessary to process individual-level information temporarily (for instance, to count visits or measure session length), the final retained dataset must consist solely of aggregate statistics. This means:

  • No personal identifiers remain in stored records.
  • No decisions or inferences are drawn about specific individuals or groups.
  • Any raw personal data are deleted as soon as the aggregation is complete.

Examples

The following types of data collection are generally acceptable:

  • Totals of how many times each page is viewed, enabling analysis of overall traffic patterns and user journeys through the site.
  • Aggregate measures such as average scroll depth or the total number of clicks on different sections of a page, used to assess which content holds attention.
  • Summaries of device categories (mobile, desktop, tablet) and software environments (browser or operating-system versions) to understand the technical contexts in which the service is consumed.
  • High-level tracking of how visitors arrive, whether through an email campaign link, search engine result, or other external referrer URLs to understand marketing effectiveness.
  • Division of sessions into two or more anonymous cohorts for comparison of interactions with alternate designs or features, used solely to determine which variant drives better aggregate outcomes.
  • City- or region-level location summaries that cannot be traced to individual users.
  • Aggregate figures on page load times and common exit pages, helping to pinpoint technical bottlenecks or navigation issues that may disrupt the user experience.

Use of Third-Party Analytics Providers

The company may either develop an in-house analytics solution or engage a third-party provider.

Accordingly, when relying on a third-party analytics service, the analytics provider may only act on behalf of the service operator, and use collected data solely to help improve the service or website of the controller.

End users must be informed that analytics are handled by an external provider, together with a clear description of the provider’s processing activities.

The third-party must function as a processor, not a joint controller. Contractual arrangements should:

  • define the processor’s precise duties;
  • prohibit any linking of analytics data with other datasets; and
  • address any international data transfers, where applicable.

Consent must be obtained if analytics data are ever repurposed, for example, to connect website behaviour with external advertising campaigns.


Appearance Exception

It permits the use of storage of cookies or local storage, when their sole purpose is to:

  • adapt the service’s presentation or behaviour to match an individual subscriber’s or user’s explicit preference;
  • enhance how the website appears or functions on the user’s chosen device.

Storage and access must serve only to adjust appearance or functionality in line with user preferences or to improve device-specific display. Any processing of personal data linked to appearance-related storage must be strictly limited to what is necessary for adapting or enhancing the site’s look and function.


Examples

  • Detecting a visitor’s screen dimensions to adjust page layout (for example, simplifying navigation for mobile users).
  • Remembering the language choice made by a visitor on a multilingual site, so the preferred language is shown on subsequent visits.
  • Reading a user’s operating-system theme setting (like “dark mode”) and mirroring that choice within the site or app interface. Users must still retain an in-service option to switch themes at any time.

What Has Not Changed

Online advertising, monitoring, tracking people, profiling based on their behaviours are not allowed. For all these uses consent is needed.


Examples

  • Online advertising includes frequency capping, ad affiliation, ad measurement and performance, click fraud detection, market research, product improvement, or debugging.
  • Logs or recordings of individual visitors and their actions (unless for security).
  • Information on whether users viewed or clicked an advert for performance measurement.
  • Connecting a visitor ID to their site activity (for example, conversions shared with advertising partners).
  • Tracking or profiling individual visitors or visitor categories (such as by IP address or pages visited).
  • Monitoring browsing across different services and applications.

For more changes and details please visit the ICO guidelines and factsheets.

British cat

Written By

Anastasiia Klymenko