Major update to cookie consent rules for websites

A new provision under the Data (Use and Access) Act 2025 comes into force which significantly changes the rules on cookies for organisations operating websites.

Since the coming into effect of the GDPR and the UK ePrivacy rules, we have all become accustomed to the general rule that non essential cookies (including analytics cookies) require the user’s prior opt in consent, usually obtained via a cookie banner.

Under the new Act, that position changes for certain categories of cookies.

From now on, cookies used solely for analytics and basic website functionality or appearance no longer require opt in consent, provided that users are given a clear and straightforward right to opt out.

In broad terms, this means that cookies which:

•    measure how users interact with a website (e.g. analytics used to understand traffic and performance); or
•    help the website to function properly or display correctly (for example, remembering preferences or enabling standard features),

can be deployed without waiting for affirmative user consent, as long as an opt out mechanism is in place and users are properly informed.

This is a distinct change from, and separate to, the recent extension of the “soft opt in” exemption for email marketing. That earlier change was specific to charities and electronic communications; this new provision applies more broadly to any organisation that operates a website.

The intention behind this change is to reduce unnecessary compliance friction and banner fatigue, while still preserving user autonomy through opt out rights rather than mandatory opt in.

There are, however, some important caveats:

•    The exemption is limited. It does not apply to cookies used for targeted advertising, behavioural tracking, profiling, or cross site tracking.
•    Transparency remains essential. Users must still be told clearly and accessibly what cookies are being used and for what purpose.
•    The opt out mechanism must be genuine and effective, not hidden or unduly complicated.

Organisations relying on this change will therefore need to review and update their cookies policies, privacy notices and cookie banners, ensuring that the distinction between cookies that require consent and those that operate on an opt out basis is accurately reflected.

If you would like assistance reviewing your current cookies set up, redesigning cookie notices or policies to reflect the new law, or sense checking whether particular cookies fall within the new exemption, please get in touch with us.