If you own a UK business website and your cookie compliance approach hasn't changed since 2022, you're operating under rules that no longer apply — and under a penalty regime that has become substantially more serious.
The Data (Use and Access) Act 2025 changed the financial stakes for non-compliance. The ICO completed a year-long sweep of the UK's most-visited websites in late 2025. And updated guidance is due in Spring 2026 that will fundamentally reshape what a compliant cookie setup looks like.
Here's what's happening and what it means for UK small business websites.
What Changed: The DUAA and Bigger Penalties
The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent in 2025, made a series of changes to the Privacy and Electronic Communications Regulations (PECR) — the UK law that governs cookies and similar tracking technologies.
The most immediately consequential change: maximum PECR fines increased from £500,000 to £17.5 million, or 4% of annual global turnover, whichever is higher. That aligns UK cookie fines with GDPR penalty levels for the first time.
Citation capsule: The Data (Use and Access) Act 2025 increased maximum PECR fines from £500,000 to £17.5 million or 4% of annual global turnover — bringing UK cookie penalties in line with GDPR. The ICO secured compliance from 95%+ of the UK's 1,000 most-visited websites in a 2025 sweep. (Source: ICO, Osborne Clarke UK Regulatory Outlook January 2026)
For a small business, this isn't abstract. A £500,000 maximum was already significant. A £17.5 million maximum — or 4% of global turnover, whichever is higher — is a completely different enforcement environment. The ICO has been clear it intends to use these powers more broadly in 2026.
The ICO Has Already Been Enforcing — More Is Coming
In 2025, the ICO conducted a systematic review of compliance across the UK's 1,000 most-visited websites. The results: more than 95% of those sites now meet ICO cookie compliance standards, after the ICO contacted non-compliant sites and required them to fix their implementations.
That's a significant achievement — and it signals what comes next. The ICO has indicated it will expand enforcement beyond large publishers in 2026. The 1,000-site sweep was the opening salvo, not the whole campaign.
The ICO's stated priorities for 2026 include artificial intelligence, online advertising, and children's data. Cookie compliance sits squarely at the intersection of the first two. If your site uses advertising cookies — analytics, retargeting, conversion tracking — you're in scope.
New Exceptions Are Coming: What to Expect
Here's where it gets more nuanced. The DUAA didn't just increase penalties — it also introduced new exceptions to the requirement for cookie consent under PECR.
The ICO is currently finalising guidance on these exceptions. A draft was published for consultation in late 2025. The finalised guidance is expected in Spring 2026.
The new exceptions are designed to enable certain types of online advertising to operate without the full consent pop-up requirement. The ICO has said it believes the new framework "will enable new approaches to online advertising to scale-up" — language that suggests a meaningful relaxation for some advertising use cases.
What this means in practice is still being defined. But the likely effect is that some analytics and performance measurement cookies will move into the consent-not-required category, while advertising and profiling cookies will remain strictly opt-in.
For UK small business websites, the practical advice is to watch for the Spring 2026 guidance and be prepared to update your cookie configuration when it arrives. Don't make major changes to your consent implementation now in anticipation of what the exceptions might cover — wait for the finalised rules.
What a Compliant UK Cookie Setup Looks Like Right Now
While we wait for the Spring guidance, here's what compliance looks like under the current rules:
Consent must be freely given, specific, informed, and unambiguous. This means a proper opt-in for non-essential cookies — not a banner that says "By continuing to use this site, you consent to cookies." Pre-ticked boxes are not valid consent. Buried consent buried in a privacy policy is not valid consent.
Functional and strictly necessary cookies don't require consent. These are cookies required for the site to function — shopping cart cookies, session cookies, security cookies. You don't need a consent pop-up for these.
Analytics and marketing cookies do require consent. Google Analytics, Facebook Pixel, LinkedIn Insight Tag, Google Ads conversion tracking — all of these require opt-in consent under current UK rules. If your site deploys these on page load before consent, you're non-compliant.
Your consent records must be auditable. You need to be able to demonstrate that a user gave valid consent. Most compliant cookie management platforms (Cookiebot, OneTrust, CookieYes, Civic) do this automatically, but if you've rolled your own solution, it needs to capture consent timestamps and preferences.
The SEO Angle Nobody Is Talking About
Here's something that rarely gets mentioned in cookie compliance articles: your cookie implementation directly affects your site's technical SEO and AI search performance.
A cookie banner that blocks page rendering — loading a heavyweight consent management platform before any content renders — creates a measurable Largest Contentful Paint (LCP) delay. That's a Core Web Vitals signal. Slow LCP hurts rankings.
More critically, if your cookie consent mechanism delays or prevents Googlebot or AI crawlers from accessing your page content, you're creating an indexability problem. Some consent platforms use JavaScript injection that isn't rendered by search crawlers. If your key page content sits behind a JavaScript consent wall, Google may not be indexing it properly.
The practical fix: ensure your consent platform uses server-side rendering or a lightweight, non-blocking implementation. Test your pages with Google's URL Inspection tool after implementing or updating your cookie management to confirm full crawlability.
What to Actually Do Right Now
Given where things stand:
Audit what you're currently setting. Use a browser developer tools or a free cookie scanner tool to see exactly which cookies your site sets before and after consent. You may find cookies firing before consent that you didn't know about.
Check your consent platform is still fit for purpose. Some consent management platforms (CMPs) implemented in 2021–2022 don't meet current standards. If your CMP shows a banner but fires Google Analytics unconditionally, you're not compliant.
Don't block AI crawlers in your cookie config. Some consent platforms include default rules that affect bot access. Ensure your robots.txt and CMP configuration don't accidentally block GPTBot, PerplexityBot, or Googlebot.
Stay alert for the Spring 2026 ICO guidance. The new PECR exceptions could meaningfully change what you need to do. When the finalised guidance arrives, review it quickly — it may simplify some of what you're currently implementing.
Your website's technical setup — including cookie compliance — is one of 200+ factors we check in our digital visibility audit. If you want to understand how your site currently performs across SEO, AI search visibility, and technical compliance together, start your audit at seoandgeo.co.uk/audit.
FAQ
If I'm a small business with under £50,000 annual turnover, do I still need to comply?
Yes. PECR applies to any organisation that operates a website targeting UK users. There is no small business exemption. However, the ICO has stated it prioritises proportionate enforcement and engagement over punitive fines for organisations acting in good faith. The risk isn't zero, but a small business website running a properly configured cookie banner is at low practical risk compared to a large publisher running non-compliant advertising tech at scale.
Do the new DUAA exceptions mean I can remove my cookie banner?
Not yet, and not completely. The exceptions under the DUAA relate to specific categories of cookies — some analytics and functional uses — not all non-essential cookies. You'll still need consent for advertising and profiling cookies. Wait for the Spring 2026 ICO guidance before making changes to your consent implementation.
How does this interact with GDPR?
PECR and UK GDPR have different scopes. PECR covers the setting of cookies and similar tracking technologies. UK GDPR covers what you do with the personal data those cookies collect. A compliant cookie consent mechanism handles the PECR obligation; how you store, process, and use the data collected is a separate UK GDPR question. Both need to be right.
Free Audit
Want to see how your site scores?
Run a combined SEO + GEO audit. 200+ checks, platform-specific fixes, and a free re-audit at 90 days to measure your progress.
Get Your Free Audit Score