DUAA – Cookies

DUAA – Cookies Part 1

The Data (Use & Access) Act 2025 ushers in changes meaning organisations will be able to use cookies and other tracking technologies for more activities without the requirement to collect consent.

Essentially DUAA rewrites Regulation 6 of the Privacy and Electronic Communications Regulations (PECR). The one existing exception to consent for strictly necessary cookies is joined by four more.

All references to cookies within this document include similar technologies, including tracking pixels, navigational tracking, web storage, fingerprint techniques, plug-ins, scripts, tags and any other storage and access technologies.

With some exceptions, there is still a need to give ‘people’ clear and comprehensive information and give ‘people’ an easy way to object.

‍

Five cookie exceptions

The ICO makes it clear an exception will only apply if the company use of ‘cookies’ aligns with the purposes and requirements of that exception. It’s stressed: “If your usage go beyond these, you must get consent”.

Here’s a quick snapshot of the exceptions…

‍

1.Communication exception

This applies when the sole purpose of ‘cookies’ is for the transmission of a communication. To rely on this exception, there is a need to meet specific criteria which the ICO says “must ensure that the transmission of the communication is impossible without the use of particular storage and access technology”.

The ICO gives two examples of device fingerprinting techniques, solely for network management purposes and session cookies for load balancing purposes, with the sole purpose of identifying which server in the pool the communication will be directed to.

‍

2.Strictly necessary exception

This existing exception applies when the purpose is essential to provide a service which a subscriber or user requests. So, on a technical level the service can’t be provided without the use of ‘cookies’. PECR itself lists some examples of activities that meet this exception:

‍

- ensuring the security of terminal equipment
– preventing or detecting fraud
– preventing or detecting technical faults
– authenticating the subscriber or user

– recording information or selections the user makes on an online service.

‍

The ICO says this exception would apply to remember the goods a user wishes to buy when they go to the online checkout or add goods to their shopping basket. BUT would not apply to cross-device tracking, online advertising or social media plugs-ins.

‍

3.Statistical purposes exception

This applies when the sole purpose of ‘cookies’ is to collect information for statistical purposes about how an online service is used with a view to make improvements. Or how a website (by means of which a service is provided) is used, again with a view to making improvements.

This exception applies if you’re an Information Society Service (ISS) and your statistical purposes are about the use of your service.

The ICO’s draft guidance stresses; “it is not a broad exception that covers all types of analytics technologies or ways you can use them. It is about how your service is used, not about who uses it. It is not for identifying, tracking or monitoring people or groups of people who use your service. It also doesn’t apply to things like online advertising.”

The ICO says this exception would apply to total visits to your website, page-by-page (e.g. for traffic analysis to understand users’ journeys).

‍

Transparency and an opt-out

While consent won’t be needed it will still be necessary to provide clear and comprehensive information about the ‘cookies’ deployed and give users a ‘simple and free’ mean to object i.e. opt-out.

‍

Use of third-party analytics providers?

The ICO says it would be permitted to use third-party analytics services, with a big caveat; “you must ensure that the third party only assists you in achieving your purpose”.

Any third-party analytics providers must act on behalf of the company and not use the data for their own purposes. In other words, they must be a processor, not a joint or separate controller.

Among other matters this means making sure:

• Clarified the company role (as a controller) and that of the analytics provider (as a processor)
  – have considered any international data transfers
  – have appropriate terms in place (e.g. a Data Processing Agreement).

‍

4.Appearance exception

This applies when the sole purpose is to adapt the way the service appears or functions in line with the subscriber or user’s preferences.

The ICO says this exception would apply to remembering the language the subscriber or user selects (e.g. on a multilingual website). But would not apply to changing the content you display to a user on your service based on known or inferred interests or behaviours about them.

‍

Transparency and an opt-out

When relying on this exception information provided must be clear and comprehensive about the ‘cookies’ deployed and give users a ‘simple and free’ mean to object i.e. opt-out.

‍

5.Emergency assistance exception

This applies if the sole purpose is to identify the geographical position of a subscriber or user’s device/s to provide emergency assistance. It specifically allows the use of information about someone’s location and includes using GPS-based location information from smartphones, tablets, sat-nav’s and other devices. For the exception to apply the ICO says the subscriber or user needs to have requested emergency assistance.

‍

What this means in practice

This does not mark an end to the cookie banner and consent mechanisms. However, it will allow the reconfiguration of Consent Management Platforms (CMP). If there is reliance on an exception, there is now the ability to drop a ‘cookie’ on a user’s device without needing to gain consent, being mindful of transparency and opt-out requirements.

‍

What steps can we take now?

Conduct a cookie review; identify, analyse and categorise. Assess the current approach, and whether these changes will give an opportunity to simplify or re-design the CMP.