The Data (Use and Access) Act 2025 (DUAA) introduces changes to the rules around cookies and website tracking technologies. Find out what this could mean for your website and what areas you may need to review.
What DUAA means for cookies on your website
The Data (Use and Access) Act 2025 (DUAA) updates the rules around cookies and similar technologies used by websites.
Cookies are used for many reasons, including helping websites function properly, remembering user preferences, understanding how visitors use a website and supporting online marketing. The changes do not remove cookie requirements, but they introduce some additional situations where certain technologies may be used without consent.
For full details on the changes and how they apply, we recommend reviewing the latest ICO guidance on cookies and storage technologies.
Looking for a broader overview of the Act? Read our DUAA 2025 article.
What has changed?
Before DUAA, websites generally needed consent before storing or accessing information on a user’s device unless a specific exception applied. DUAA introduces exceptions for certain low-risk uses of cookies and similar technologies.
This may include situations where cookies are needed to:
- provide a service or feature requested by a user
- support the operation of a website
- collect certain statistical information to improve an online service, where the requirements are met
However, cookies used for activities such as advertising, profiling or many types of marketing tracking will generally still require consent.
What does this mean for your website?
The main question for website owners is not simply whether you have a cookie banner but whether your cookie setup accurately reflects what your website is doing. You should review:
Cookie banner and consent settings
Check that your cookie banner:
- clearly explains what cookies are used for
- gives visitors appropriate choices
- matches the cookies actually being used on the website
- does not suggest consent is needed where an exception applies or fail to request consent where it is still required
Analytics tools
Review whether your analytics tools are configured correctly. For example, check:
- what information is collected
- whether cookies are being used
- whether the tool is only used for statistical purposes or also for advertising and marketing
- whether your current consent approach still reflects this
Third-party tools
Many website features can involve cookies or tracking, including:
- embedded videos
- maps
- booking systems
- chat tools
- social media feeds
- marketing platforms
These should be reviewed as part of your website audit.
Do you need to update your website?
Possibly. The impact will depend on the cookies and technologies your website uses. You may need to:
- update your cookie policy
- review your cookie banner settings
- check third-party integrations
- remove unused tracking tools
- update website privacy information
Don’t forget that DUAA also introduces new requirements around handling data protection complaints. You should have a clear process for managing complaints and may want to reference this in your Cookie Policy so visitors know how to raise concerns about cookies and tracking technologies, if required.
Why this matters
Cookies are an important part of many websites but they need to be managed carefully. Reviewing your website setup can help ensure visitors receive clear information, choices are handled correctly and your website reflects the technologies it uses. This also helps you stay in line with current ICO guidance and good practice.
Need help reviewing your website?
If you need support reviewing your cookie setup, website tracking tools or privacy information, our team can help. Get in touch to discuss what your website needs.
