Key Insights from the ICO’s Updated Draft Cookies Guidance Following DUAA

Following the enactment of the Data (Use and Access) Act (DUAA) on 19 June 2025, the Information Commissioner's Office (ICO) has issued updated draft guidance on the use of cookies and other storage and access technologies. This update reflects changes made by DUAA to the Privacy and Electronic Communications Regulations (PECR) and introduces new compliance expectations for organisations deploying cookies and similar technologies.

The guidance remains in draft form pending the outcome of a second consultation concerning a new chapter titled “What are the exceptions?”. The consultation recently closed to responses on 26 September 2025. The finalised ICO guidance is expected to be published in Spring 2026.

This article outlines some of the key points contained within the updated draft guidance, and highlights what practical implications there might be for organisations and users.

Changes Under DUAA

The current position on cookies is that user consent is required to place all cookies, except for where they are “strictly necessary”. Under the DUAA, this position is being relaxed so that consent will not be required for certain uses although users should still have the right to opt out of these cookies.

The DUAA provides for five specific exemptions (which are also detailed in the new chapter of the updated ICO draft cookies guidance) to the general prohibition on storing or accessing information on users’ devices without consent. We previously summarised the exemptions in an earlier article (found here).

It is worth noting that these exemptions are purpose-limited - if the use of storage and access technologies go beyond the stated purposes, user consent must still be obtained.

Highlights from the Updated Draft Guidance

The July 2025 update marks a significant revision to the ICO’s draft guidance, primarily to align with the amended PECR provisions introduced by DUAA. Aside from the new chapter on exceptions covered in the section above, the ICO points out that there are other “minor changes throughout the guidance to reflect the updated rules”. Notable updates include:

• Expanded Scope: The chapter “What are storage and access technologies?” now includes more detailed explanations of technologies beyond cookies to reflect the evolving digital landscape. This includes tracking pixels, web storage, and fingerprinting techniques. 
• Managing Consent: The chapter “How do we comply with the PECR rules?” has been split into multiple chapters, with refreshed examples and new policy lines. A new chapter, “How do we manage consent in practice?”, consolidates and expands on previous content, offering examples of “good and bad practice consent mechanisms”. It addresses mechanisms such as pop-ups and settings-based consent, with the ICO clarifying its expectations for transparency, granularity and user control.
• Online Advertising: A dedicated chapter on online advertising has been introduced to clarify how PECR applies in this context, reflecting the ICO’s increasing regulatory attention to AdTech. This includes, for example, what consent is required for tracking, profiling and real-time bidding.
• Enforcement Updates: The chapter “What happens if we don’t comply?” has been revised to reflect changes in the PECR enforcement regime, with fines under PECR to be aligned with the UK GDPR (up to £17.5 million or 4% of global turnover).
• Regulatory Language: The guidance continues to use “must”, “should”, and “could” language to distinguish between legal obligations, expected practices, and optional approaches. The ICO notes that 
  • “must” refers to legislative requirements and established case law.
  • “should” does not refer to a legislative requirement, but what ICO expects you to do to comply effectively with the law.
  • “could” refers to an option or example that may help you to comply effectively.

Practical implications for organisations and users

For organisations, the updated guidance signals a shift towards a more granular and structured approach to compliance with PECR in light of DUAA. Providers of online services, including websites and apps, will need to reassess their use of cookies and similar technologies to ensure alignment with the revised PECR rules.

Key actions include:

• Reviewing consent mechanisms: ensure that consent interfaces meet the ICO’s consent mechanisms for transparency, granularity and user control.
• Auditing technologies used for tracking and analytics to identify which technologies (with reference to the expanded scope set out in the guidance) store or access user data and verify whether consent is being properly obtained before this occurs.
• Updating privacy/cookie notices and cookie banners to reflect the new exceptions and consent requirements.
• Monitor for ICO’s final guidance, expected in Spring 2026.

For users, the changes may lead to clearer and more transparent interactions with websites and apps, particularly regarding how their data is stored and accessed. The introduction of defined exceptions and illustrative examples may also improve user understanding of when and why consent is required.

Comment

The ICO’s draft guidance update represents a significant development in the regulation of cookies and related technologies. While the guidance remains subject to further consultation, organisations should begin reviewing their practices in anticipation of finalised rules. Proactively complying with the new legislation and guidance offers an opportunity for organisations to maintain user trust and mitigate enforcement risks, particularly with PECR fines increasing to align with the UK GDPR. 

For advice on how the Data (Use and Access) Act 2025 will impact you or your business, please contact Martin Cook, Madelin Sinclair McAusland, Amanda Leiu or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Fraser Campbell and Amanda Leiu.