What the Data (Use and Access) Act 2025 Means for Website Cookies

Websites Marketing Data Analytics

Cookies Laws are Crumbling (but this isn’t a bad thing)

Earlier this year, Tribus discussed the importance of setting up your website tracking. The Tribus Digital team spoke about how your tech partner should be leading this setup. We also discussed the evolving landscape around third-party cookies and how Tribus have been helping clients navigate the uncertainty.

Now, with the Data (Use and Access) Act 2025 (DUAA) officially passed, the UK has taken a new step in redefining data responsibility. While the headlines focus on AI, automated decisions and digital identity (all of which Tribus will be discussing in future posts), one of the most practical impacts for clients and web teams is the shift in cookie rules and regulations.

In this post, we speak with Head of Website Development Richard Blyth and Head of Digital Marketing Oliver Padgett-Blackburn who break down what’s changed, what hasn’t, and what Tribus are doing to help clients adapt their tracking setups in a way that’s accurate and compliant.

Your response to someone who asked ‘why have cookies regulations changed’

The Data (Use and Access) Act makes a key distinction between low-risk, essential cookies and high-risk, tracking cookies.

Low-risk cookies are now classed as anything that capture essential performance and basic analytical information and these cookies are no longer required to have active consent.

Essential performance cookies are cookies which are used to remember user logins during sessions, keep items in a shopping cart, manage consent setting or cookie preferences and security functions.

Basic analytical cookies are used to help marketeers understand how users interact with your website but in a non-invasive, privacy focused way. This data is not personal and is aggregated, allowing digital marketeers to view:

  • Pageviews

  • Sessions

  • Engagement rate

  • Session duration

  • Traffic source

What remains the same?

Profiling and retargeting cookies still require explicit opt-in consent.

What changes need to be made to your website

From a digital marketing privacy perspective, this shift is a double-edged sword. On one hand, we gain back more reliable analytics without the drop-off caused by rejected cookie banners. On the other, we need to separate out every tool that collects user data and ensure we have the right logic in place.

From a development perspective, DUAA offers a clear opportunity to tidy up front-end bloat, move more tagging to server-side tracking, and apply better consent-layer logic.

The passing of the DUAA doesn’t mean tracking gets easier; it does offer more clarity. At Tribus, we believe in building tracking architecture that’s transparent and effective. This isn’t about keeping up-to-date with regulatory change. It’s about building trust and gaining confidence in your data.

Want to learn more? Check out our previous insights on setting up tracking the right way and navigating the third-party cookie fallout.

Share this article:

Cookie consent

By continuing to use this website you agree to the handling and storage of data outlined in our privacy policy.
Scroll