Cookies: What the UK’s New DUAA Means for Overseas Businesses

Written By Caroline carver

The UK Data (Use and Access) Act — DUAA for short — has passed into law, and it’s set to shake up how websites serving UK residents (including NZ businesses targeting UK audiences) deal with cookies.

So, if you run a website, app, or digital service and have UK users: this one’s for you.

Under the DUAA, the UK has introduced a slightly more relaxed approach to cookies — aiming to cut the noise and improve user experience by:

  • Reducing overuse of banners

  • Allowing certain low-risk cookies without consent

Previously, only strictly necessary cookies didn’t require consent. But the DUAA expands the “no-consent-needed” category to include:

  • Anonymous analytics – You absolutely must not be able to identify a device or user in any way.

  • Service improvement

  • Bug detection

  • Security and update functionality

However, guidance from the UK ICO is still to come — so care needs to be taken before you rush to update your banners. Also worth noting: many organisations will need to split how their banner behaves in the UK from how it behaves across the rest of Europe, because the GDPR hasn’t changed. What’s acceptable in the UK may still be a no-go in the EU.

To prepare for the upcoming changes, you should:

  • Review your existing cookies – Do some housekeeping. Remove any unnecessary ones and work out which might now fall under the DUAA’s “no consent needed” category.

  • Build new geo rules – Differentiate how your website or app seeks and manages consents for UK vs EU visitors.

These changes are aimed at improving user experience, but like anything in privacy, the details matter. Don’t assume UK = EU. Get your house in order and keep an eye out for final guidance from the ICO.

Caroline carver
Previous

𝐀𝐫𝐞 T𝐡𝐞𝐲 a C𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 O𝐫 a P𝐫𝐨𝐜𝐞𝐬𝐬𝐨𝐫?
Next

Is It Fraud, Or Is It A Privacy Breach?