The UK Data (Use and Access) Act 2025 added a statistical purposes cookie exception that, on first read, lets analytics drop cookies without consent. It does not save GA4. Section 105 requires the analytics to have a sole purpose of service improvement, and Google’s own Terms of Service for GA4 reserve rights for product development, fraud detection, and ads integration. Those reserved rights are exactly what breaks the sole-purpose test.
The Exception Reads Like a Gift
DUAA Section 105 introduced what looks like the cleanest cookie reform in years. Sites can use analytics cookies without consent if the data serves the sole purpose of statistical analysis or service improvement. The legal text appears to permit GA4-style measurement without the banner.
Kennedys Law’s analysis of the reform pillars makes the structural change explicit. The exception only applies where service improvement is the sole purpose. There is no flexibility for product development, ad personalisation, or onward sharing — those activities sit outside the carveout entirely.
The Data Protection Network’s read of the same provisions adds a free opt-out at first use as a hard requirement. Sites that want to rely on the exception have to give the user a clear way to refuse the cookie before any data is collected, and the opt-out has to be free of charge.
The exemption is real. The qualifying conditions are narrow.
Google’s Terms Are What Disqualify the Deployment
Here’s the structural contradiction. GA4’s terms of service grant Google rights that go well beyond service improvement of the store using it. The data Google collects through GA4 feeds product development, fraud detection, ads-product integration, and aggregate research across the entire Google estate.
That is not a hypothetical. It is contractual. Even if the store turns off Google Signals, disables ads personalisation, and refuses every optional feature, Google retains baseline rights to the data. Those rights are what create the qualifying problem under DUAA.
Stevens & Bolton’s interpretation is direct: where information is collected and shared with third parties for advertising purposes, the general PECR prohibition still applies. The exception only covers a single-purpose flow with no commercial onward use.
If your analytics stack involves Google reading the data, you cannot use the statistical exemption. Period.
You may be interested in: Google’s ad_storage Becomes the Single Source of Consent Truth on June 15
What ICO Already Excluded From the Strictly Necessary Carveout
The new statistical exception runs alongside the older strictly necessary exception. The Information Commissioner’s Office has already drawn the line on the strictly necessary side, and the line is restrictive. The exception covers things like remembering items in a cart at checkout. It does not cover cross-device tracking, online advertising, or social media plug-ins.
That ICO interpretation matters because it sets the precedent for how the new statistical exception will be read. The regulator has shown willingness to interpret narrow language narrowly. Sites assuming a generous reading of statistical purposes are setting themselves up for an enforcement mismatch.
The cookie categories that always required consent — Meta Pixel, Google Ads conversion, TikTok Pixel, Microsoft UET — still require consent. Nothing in DUAA changed the rules for ad pixels. The reform is narrow: pure first-party measurement with no commercial onward use.
The Sole Purpose Test in Practice
Three things have to be true for an analytics deployment to qualify under Section 105:
- The data is used only for statistical analysis or service improvement for the users it was collected from.
- No third party has contractual rights to the data for ads, product development, or unrelated commercial purposes.
- A free opt-out is offered at first use, before any data collection begins.
GA4 fails the second condition contractually. Other hosted analytics products that grant the vendor rights to aggregate, model, or share data for any commercial purpose fail the same way. The product positioning of the vendor matters less than what their terms of service actually say.
The qualifying question isn’t “what does the analytics do.” It’s “what does the vendor’s contract reserve.”
What Does Qualify: First-Party Server-Side That Never Reaches Google
The architecture that survives the sole-purpose test is straightforward. Events have to land on infrastructure the store controls. The vendor running the infrastructure has to be a processor with no rights to use the data for anything other than the service. The data has to never flow to Google, Meta, or any commercial third party for use beyond the store’s own improvement.
That rules out nearly all hosted analytics products as currently configured. It rules in self-hosted analytics, customer-owned data warehouses, and first-party server-side pipelines where the destination of the data is the store’s own infrastructure.
A GTM container audit is a useful first step for UK stores trying to figure out what’s running. Most containers contain at least one tag that disqualifies the strictly necessary or statistical exemption immediately.
Here’s How You Actually Do This on WordPress
Transmute Engine™ is a first-party Node.js server that runs on your subdomain (for example, data.yourstore.com). The inPIPE WordPress plugin captures WooCommerce events and sends them via API to the Transmute Engine server, which formats and routes the data to whichever destinations you choose — including a self-owned BigQuery dataset that stays under your control. For UK stores trying to qualify under the statistical purposes exception, the difference matters: the data lands on infrastructure you own, with no third-party reservation of rights baked into the architecture.
Key Takeaways
- DUAA Section 105’s statistical exception is real but narrow: sole purpose has to be service improvement.
- Google’s GA4 Terms of Service reserve rights for product improvement, fraud detection, and ads integration — those reserved rights break the sole-purpose test.
- ICO has already restricted the strictly necessary exception — cross-device tracking, online ads, and social plug-ins are out, and the same logic will apply to the statistical exception.
- Free opt-out at first use is mandatory for any deployment relying on the statistical purposes exception.
- Only first-party analytics with no third-party data reservation survive the qualifying test in practice.
Frequently Asked Questions
No. The DUAA statistical purposes exception requires service improvement to be the sole purpose of the analytics. Google’s GA4 Terms of Service reserve rights to use the data for product improvement, fraud detection, and ad-product integration, which breaks the sole-purpose test. GA4 still requires consent on UK WooCommerce stores.
Sole purpose means the analytics data is used only for understanding how the site is used or improving the service for the users you collected it from. Any reservation of rights to share with a third party for ads, fraud, or product development disqualifies the deployment, even if the store itself never enables those features.
First-party server-side analytics that never share data with a commercial third party. The events have to land on infrastructure controlled by the store, with no contractual right granted to a vendor to use the data for anything beyond service improvement. A free opt-out must be offered at first use.
No. Cookies for online advertising, cross-device tracking, and social media plug-ins are explicitly outside both the strictly necessary and statistical purposes exceptions per ICO guidance. Ad-platform tags still require explicit consent and PECR still applies as before.
If your UK WooCommerce store is running GA4 and assuming the new exception covers it, run the audit before the regulator does. Seresa builds the first-party architecture that actually qualifies.
