Maximum UK PECR fines went from £500,000 to £17.5 million on February 5, 2026 — a 35× jump that took effect overnight when the Data (Use and Access) Act 2025 commenced. The Information Commissioner’s Office has been auditing the top 1,000 UK websites since January 2025. Of the first 200 it reviewed, 134 received warning letters. Most WooCommerce stores serving UK visitors are running GA4, Google Ads, and Meta Pixel through default cookie banners sized for the old regime. They are exposed at a scale their compliance setup was never built for.
Your WooCommerce Store Has a June Deadline and the ICO Is Already Auditing
This is informational, not legal advice. The regulatory facts below are concrete and dated; how they apply to your specific store is a question for qualified UK counsel. What we can tell you cleanly is the architecture: the new ceiling is real, the ICO programme is active, the new exemptions don’t cover the typical WooCommerce stack, and the technical fix lives in your tracking infrastructure rather than in your banner copy.
What Actually Changed on February 5, 2026
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. Its key data protection provisions commenced on February 5, 2026, including a wholesale rewrite of the PECR fine regime. The previous £500,000 ceiling — itself dating to a regime that pre-existed UK GDPR — is gone. The new maximum is £17.5 million or 4% of global annual turnover, whichever is greater. That is a 35× increase in the cash exposure of any cookie violation, and it is now aligned with the headline penalty band for UK GDPR.
For context on why the ceiling matters: in September 2025, France’s CNIL fined SHEIN €150 million (~$176 million) for placing cookies on devices even after users had opted out (Reuters, 2025). That action was taken under the EU equivalent of PECR and sets a live precedent for what regulators are willing to do at the new scale. The previous £500,000 cap would have been absorbed as a rounding error by any global retailer; £17.5 million plus a 4% turnover alternative is a different conversation.
The fine ceiling is the headline, but it isn’t the most likely operational risk. Most UK stores will never see a maximum-bracket penalty. What they will see is the audit programme, the warning letters, the rectification deadlines, and — increasingly — automated complaints from third parties.
The Three New Cookie Exemptions and Why Your WooCommerce Stack Doesn’t Qualify
DUAA introduces three new categories of cookie that no longer require explicit consent: low-risk first-party analytics, certain functional cookies, and a small set of operational cookies tied to specific user-initiated actions. On the surface, this looks like relief for store owners. Read the small print and the relief evaporates.
The exemption applies only where the cookie is used solely for the specified purpose. The moment that same first-party analytics cookie also feeds an advertising platform — Google Ads conversions, Meta Pixel CAPI, audience syncs to Klaviyo, anything downstream — the sole-purpose condition is broken and consent is required again.
The typical WooCommerce stack is GA4 plus Google Ads plus Meta Pixel. GA4 is wired to Google Ads via the Analytics-Ads link. Meta Pixel runs alongside it. Klaviyo collects events. The whole point of that stack is that the same user data feeds multiple platforms simultaneously — that is what makes it useful. It is also what puts the new analytics exemption out of reach for almost every active WooCommerce setup.
Translation: a handful of stores will genuinely run analytics in isolation and qualify. The rest will look at the new exemption, assume it applies, and file the issue away — which is exactly the kind of unexamined assumption the ICO programme is built to surface.
The ICO Audit Programme and the NOYB Complaint Vector
The ICO announced its top-1,000 UK websites cookie review in January 2025 with the framing that uncontrolled tracking can lead to harm. It is not a paper exercise. The first sweep covered 200 sites. Of those, 134 received warning letters with rectification deadlines of around 30 days (Arnold & Porter advisory, 2025). The programme has continued through 2025 and into 2026 against the new fine ceiling.
The audit programme is one vector. The other is NOYB. Max Schrems’ organisation was approved in late 2024 as a qualified entity to bring collective redress actions in the UK. NOYB has deployed automated cookie banner scanning that does not respect the boundary of the ICO’s top-1,000 list. Any UK-facing site is a candidate.
The pattern is the same one that played out in Germany’s Meta Pixel litigation. Four German Higher Regional Courts have now ruled Meta Pixel illegal and joint controller doctrine has dragged WooCommerce stores serving EU visitors into per-user damages exposure. The UK is now the parallel jurisdiction with a similar enforcement architecture forming around it.
You do not have to be in the ICO’s top 1,000 to receive a NOYB complaint. You only have to be running a default cookie banner that fires tags before consent.
The June 2026 Complaints Handling Deadline
One detail of DUAA that has not received the airtime it deserves: from June 2026, data controllers must operate a formal complaints handling process. For PECR purposes, that means a documented route for users to raise cookie complaints, an acknowledgement window, a response timeline, and a record of how each complaint was resolved.
For most WooCommerce operators, this is a new obligation entirely. The typical privacy page lists an email address. That is no longer enough. The expectation is intake, triage, response, and documentation — visible to the ICO if it asks. Operators that have spent the last few years assuming privacy meant “we have a banner” are about to discover that privacy now means “we run a process.”
Smaller stores are not exempt. The deadline is structural, not size-banded.
The Architectural Fix Lives in Your Tracking Infrastructure
Cookie banners are the tip of the iceberg. The actual technical issue — the one most ICO warnings cite — is that tags fire before consent. The banner says “we use cookies”; the page has already loaded GA4, Google Ads, Meta Pixel, and a Klaviyo cookie. The consent state was captured by the banner. Nothing downstream actually respects it.
Browser-based tag managers make this almost impossible to fix. Tags fire on page load. Consent state arrives milliseconds later. The race is structural. Google Consent Mode tries to paper over the gap with modeled conversions, but the modeling thresholds price out almost every WooCommerce store on the planet.
The architectural answer is to stop firing browser-side tags before consent and route events from the WooCommerce hook layer instead, gated by the consent state on each event. That is server-side first-party tracking with consent-aware event gating. The browser collects nothing tag-related until consent is recorded. Events are emitted from WordPress hooks, evaluated against the consent log per event, and only then fanned out to the destinations the user has actually agreed to.
Transmute Engine™ is a dedicated Node.js server that runs first-party on your subdomain (for example, data.yourstore.com). The inPIPE WordPress plugin captures events from WooCommerce hooks and sends them via API to the Transmute Engine server, which evaluates the consent state on each event and routes to GA4, Facebook CAPI, Google Ads, and BigQuery accordingly — with a documented per-event consent log that maps directly onto what the ICO expects to see.
Key Takeaways
- £17.5 million ceiling: Maximum UK PECR fines rose 35× on February 5, 2026 (or 4% of global annual turnover, whichever is greater).
- 134 of 200 warned: The ICO’s first audit sweep flagged most of the sites it reviewed; the programme is ongoing against the new ceiling.
- Sole-purpose condition: The new analytics exemption does not apply when the same data feeds an ad platform — which describes nearly every WooCommerce setup.
- NOYB is scanning: You do not need to be in the top 1,000 to receive an automated complaint.
- June 2026: A formal complaints handling process is required from June 2026 — documented intake, response, and resolution.
- Fix the infrastructure: Consent compliance lives in event routing, not in banner copy.
Frequently Asked Questions
Since February 5, 2026, the maximum PECR penalty is £17.5 million or 4% of global annual turnover, whichever is greater — up from £500,000 before DUAA commenced. The fine you actually receive depends on the violation, your responsiveness to ICO warnings, and any aggravating factors. Smaller stores are more likely to receive warning letters first, but the new ceiling applies to everyone serving UK visitors.
Almost certainly not. The new exemption applies only where the cookie is used solely for the specified low-risk first-party analytics purpose. As soon as the same data feeds an ad platform — Google Ads conversions, Meta Pixel CAPI, audience syncs — the sole-purpose condition is broken and consent is still required. The default WooCommerce stack falls outside the exemption.
DUAA requires data controllers to operate a formal complaints handling process from June 2026. For PECR, that means a documented route for users to raise cookie-related complaints, an acknowledgement window, a response timeline, and a record of how the complaint was handled. ICO guidance is still being finalised; small operators should plan for a documented intake and response procedure now.
Yes. The top-1,000 audit is a proactive ICO programme; it does not limit who can be investigated. Since late 2024, NOYB has been approved as a qualified entity in the UK and runs automated cookie banner scans. Any UK visitor or NOYB scan can trigger a complaint against any operator, regardless of size.
If you operate a WooCommerce store with UK visitors, the technical question is no longer whether your banner looks compliant — it is whether your tracking infrastructure can prove consent was respected on every event. Seresa builds the server-side architecture that makes that proof possible.
