Until 5 February 2026, the Information Commissioner's Office (ICO) could only issue a fine for contravening cookies law if it was a "serious" contravention and one that was of a kind "likely to cause substantial damage or substantial distress".
With the commencement of section 115 and Schedule 1 of the Data (Use and Access) Act 2025, (DUAA) those "seriousness" and "substantial damage or substantial distress" requirements are removed, and, in principle, any contravention is punishable by a fine.
In reality, given that the ICO - in contrast to the field of unsolicited direct electronic marketing (where the similar "substantial damage or substantial distress" requirement had been repealed in 2015) - has not shown much appetite for enforcing the cookie provisions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), this may not present an immediate regulatory risk. However, those deploying cookies and similar technologies, and those advising them, would do well to bear the changes in mind. They would also do well to watch for any changes in messaging coming out of the ICO.
Regulation 6 of PECR, as amended, provides that, in general, a person "must not store information, or gain access to information stored, in the terminal equipment of a subscriber or user". As the ICO explains, "Cookies are used by many websites and can do a number of things, e.g. remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website". They are also an essential feature of much online programmatic advertising targeted at individual users, through profiling.
Although cookies and similar tracking technology are ubiquitous online, they should not be deployed unless certain conditions, as laid out in new schedule A1 of PECR are met. These conditions include: where the user has consented to the cookies (provided they have been given clear and comprehensive information about them); where the cookies are required for transmitting a communication over a network; where the cookies are strictly necessary to provide an "information society service" (broadly, this means most online services, such as apps, search engines, social media platforms, online marketplaces, content streaming services, online games, news websites, and any websites offering other goods or services, but it will generally not include websites operated by public authorities); the collection - in some cases - of website/user analytics.
Understanding aspects of PECR requires knowledge of wider communications law and technological understanding of how communications are made across online networks. Some of the amendments recently made by the DUAA involve these complex aspects. Shortly after the DUAA was enacted, the ICO indicated that updated PECR guidance was due in "Winter 2025/2026", but it has not emerged yet. Practitioners and advisers would do well to look out for it though, as it may give an indication of the ICO’s possible areas of regulatory focus.
The DUAA also increased the maximum penalty for PECR contraventions from £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher). Even under the current low-interventionist ICO regime, this increase, and the technical complexity of PECR represents a risk that should be understood all the way up to board level.