Data (Use and Access) Act 2025: ICO Consults on Changes to Support Online Advertising Reform

The UK’s digital advertising regulatory landscape is shifting. The Data (Use and Access) Act 2025 (“DUAA”) will amend the Privacy and Electronic Communications Regulations (“PECR”). These future legislative updates have prompted the ICO to consult on various changes to their guidance and enforcement approach, which tie into a wider shift in their regulation of online advertising.

Overview

The DUAA, which received Royal Assent on 19 June 2025, will amend key data protection legislation, including the UK GDPR, the Data Protection Act 2018 and PECR. 

One of the more notable reforms is to PECR Regulation 6, which governs the use of cookies and similar technologies. The DUAA introduces new exceptions that allow certain types of data storage and access without explicit user consent. Broadly speaking, these exceptions apply where the technologies are deemed essential or pose minimal privacy risk, such as for website functionality or aggregated analytics.

These exceptions pave the way for changes in the online advertising space – the ICO hopes to continue to drive further change via secondary legislation that will create “an opportunity for new commercially viable advertising models that can support innovations to improve consumer privacy and boost economic growth.”

What is changing?

The existing rules provide that no information should be stored in the terminal equipment of a user unless (1) sufficient information has been provided and (2) the user has provided consent. 

PECR Reg. 6, in its current form, allows for two exceptions to this rule:

1. Such storage is for the sole purpose of “the transmission of a communication over an electronic communications network” (the “communication exception”); or
2. Such storage is “strictly necessary for the provision of an information society service requested by the subscriber or user” (the “strictly necessary exception”).

The DUAA, via section 112 and Schedule 12, introduces the following changes:

1. The strictly necessary exception is expanded to include six specific examples, providing greater clarity on its application; and
2. Three new exceptions have been added:
   1. Collecting information for statistical purposes about how the service is used (for example, tracking the total number of website visits, average scroll depth or visitor device types) (the “statistical purposes exception”);
   2. Information stored or accessed (including cookies) which is used to enable a service to adapt its appearance or functions in accordance with someone’s preferences (the “appearance exception”); and
   3. Information stored or accessed which is used for the purpose of identifying the subscriber or user’s geographical location (for example, on personal safety alarms when activated or user-enabled car emergency call systems after a crash) when they request emergency assistance (the “emergency assistance exception”).

ICO Consultation and Calls for Views

In response to these changes, the ICO has updated its guidance on the use of storage and access technologies to include a new chapter titled “What are the exceptions?”. The ICO has launched a consultation in relation to its updated guidance to collect views on its proposed regulatory approach and the impact. The consultation will run until 26 September 2025. 

In addition, the ICO is reassessing its enforcement approach of Regulation 6 PECR, with a view to exploring “whether a risk-based approach to enforcing PECR could allow publishers to deliver online advertising to users who have not granted consent, where there is a low risk to their privacy.” 

This proposal extends beyond the DUAA’s current changes and suggests changes be made via further secondary legislation. This could mean a potential shift from a one-size-fits-all consent model toward a more nuanced, risk-based framework. For publishers and advertisers, this could mean greater flexibility to innovate and engage users using online advertising, provided such activities pose a low risk to user privacy.

The ICO has launched a call for views, which will run until 29 August 2025.

Implications for Online Advertising 

The ICO, in its call for views, has announced that it plans to publish a statement in early 2026 which covers the following points:

• Identify Low-Risk Advertising Activities: The ICO would set out specific low-risk advertising activities that are “safe” and are unlikely to lead to enforcement action under PECR. This would provide regulatory certainty to advertisers and remove barriers to scaling low-risk advertising activities. 
• Expand Secondary Legislation: The ICO plans to work alongside the UK government to enact further secondary legislation to add a further exception to PECR Regulation 6 to allow for these low-risk advertising activities. 
• Consider Safeguards: Alongside expanding these online advertising use cases, the ICO will consider safeguards which protect customer data protection rights and privacy.

The ICO’s proposed approach and anticipated statement are part of a broader regulatory push to support innovation, commercial development and economic growth alongside still balancing the protection of data subject rights. Ultimately, the ICO hopes to “enable new approaches to online advertising to scale up.”

Conclusion

While transparency obligations remain, the changes aim to reduce user fatigue from excessive pop-ups and support innovation in digital services. However, organisations must still ensure that any use of cookies is clearly explained, and that consent is obtained where required - particularly for higher-risk advertising activities involving cross-site tracking or profiling.

Last year, the ICO consulted and produced guidance on “consent or pay” online advertising models, reflecting the regulator’s willingness to explore the implementation and regulation of new advertising approaches. Similarly, the ICO’s responsible online tracking strategy, which was published earlier this year, also mentions ambitions to “encourage publishers to deploy more privacy-preserving advertising such as contextual models,” where advertising is based on the content and key words of webpages. 

As the regulatory landscape continues to shift, organisations should stay engaged with the ICO’s consultation and prepare for the broader implications of secondary legislation.

For advice on how the Data (Use and Access) Act 2025 will impact you or your business, please contact Martin Cook, Richard Hugo, Madelin Sinclair McAusland, Amanda Leiu or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Jenora Vaswani and Amanda Leiu.