DUAA’s five new cookie exceptions activated on 5 February 2026, and most UK WooCommerce stores have already misread them. The statistical exemption in Section 105 requires the data to be used for the SOLE purpose of service improvement — and any tag that also feeds an ad platform fails that test. Stevens & Bolton’s reading spells it out: cookies shared with third parties for advertising remain caught by the general PECR prohibition. Maximum fines now sit at £17.5M or 4% of global turnover (Bird & Bird, 2026).
Why WooCommerce Tracking Still Needs Consent After 5 February 2026
The exemption sounds generous on the surface. Five new categories, no consent required, lower banner fatigue. Then you read the wording.
The Five Exceptions Most Stores Don’t Actually Get
DUAA Sections 105-108 amend PECR Regulation 6 to add five exempt cookie categories (Kennedys Law, 2025): strictly necessary (the existing carve-out), statistical/analytics for service improvement, system security and fraud detection, software updates, and interface customisation.
Four of those are narrow by design. Strictly necessary still means what it always meant — remembering items in a basket at checkout, not tracking visitors across pages. Security, software updates and interface customisation are housekeeping cookies. None of them describe what GA4, Meta Pixel or a Google Ads remarketing tag actually does.
That leaves the analytics exemption — the one every marketing blog called a free pass. It is not.
The ‘Sole Purpose’ Sentence That Disqualifies GA4
The Data Protection Network summary of DUAA puts it cleanly: the statistical exemption applies only when the SOLE purpose of the cookie is improving the service, and only when a free, simple opt-out is offered at first use.
Two words do all the work. Sole purpose.
GA4 in default WooCommerce setup does not have a sole purpose. Out of the box it shares user data with Google for ad personalisation, audience building, Google Ads linking and Google Signals. Even with ad personalisation switched off, Google’s own documentation describes GA4 as part of its advertising stack. Meta Pixel is more obvious: every fired event becomes available for retargeting and lookalike audiences in Ads Manager. Google Ads conversion tags exist to inform bidding.
The Stevens & Bolton briefing on DUAA states the rule directly: where information is collected and shared with third parties for advertising purposes, this remains caught by the general PECR prohibition and still requires consent. The analytics exemption is for analytics. The moment a tag’s downstream use includes advertising, sole purpose dies.
You may be interested in: UK PECR Fines Just Jumped From £500K to £17.5 Million on February 5
Why GTM Containers Inherit the Problem
Tag managers do not save you. A Google Tag Manager container that loads GA4, Meta Pixel and a Google Ads tag is, for sole-purpose analysis, the union of everything inside it. The container’s purpose is whatever its tags do collectively.
Add Klaviyo, Hotjar, TikTok Pixel or any consent-mode workaround that still pings ad networks and the calculation gets worse, not better. The instigator clause in DUAA makes this concrete. Clifford Chance notes that DUAA amends PECR so that ‘instigating’ the storage or access counts as the regulated act — the WooCommerce store is on the hook for what its tags do, even if the tags are loaded by a third-party container.
Translation: GTM-based stacks need consent. The container does not become exempt because individual tags inside it might, in isolation, be analytics-only.
What Actually Fits the Statistical Exemption
The competitive gap is narrow but real. To plausibly fit DUAA’s statistical exemption, a WooCommerce store needs an analytics pipeline where every event stays inside the store’s own domain and is never fanned out to an ad platform.
That rules out:
- GA4 (shares with Google’s advertising stack by default)
- Meta Pixel (events become Meta ad audiences)
- Google Ads conversion tracking (purpose is bidding optimisation)
- TikTok, Bing, Pinterest pixels (same logic)
- Hotjar, Mouseflow with third-party servers in adversarial jurisdictions for some readings
- Any GTM container that loads any of the above
What is left: a first-party data pipeline that collects events on your own infrastructure, stores them in a warehouse you control (BigQuery, Postgres, or a dedicated server), and uses them only for internal service-improvement analytics — page performance, basket abandonment patterns, error tracking, conversion funnel diagnostics.
The opt-out at first use still has to exist. The Data Protection Network guidance is firm on that. But the consent banner can disappear.
You may be interested in: The Mike Teasdale 90% Drop When a Cookie Banner Lies to Google
The Architecture Decision Most Stores Are Not Making
This is where the question gets concrete. Most WooCommerce stores trying to comply with DUAA are looking at their cookie banner. The banner is not the problem. The data architecture is.
If GA4, Meta Pixel and Google Ads stay in the stack, the banner stays too — and the £17.5M fine ceiling stays live. If the store wants the simpler banner-free path the new exemption opens, it has to move analytics off third-party platforms entirely.
Here’s how you actually do this. Transmute Engine™ is a first-party Node.js server that runs on your own subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin captures WooCommerce events and sends them via API to your Transmute Engine server, which can route to internal analytics destinations only — BigQuery, your own warehouse, your own dashboards — without ever fanning out to GA4, Meta or Google Ads. That is the architecture the statistical exemption assumes you have.
Key Takeaways
- DUAA’s five cookie exceptions activated on 5 February 2026 under Sections 105-108.
- The statistical exemption requires the SOLE purpose to be service improvement — advertising linkage breaks it.
- GA4, Meta Pixel and Google Ads tags do not qualify because they share data with third parties for advertising.
- GTM containers inherit the purpose of every tag inside them; tag managers do not save you.
- Only a first-party server-side pipeline with no ad-platform fan-out can plausibly use the new exemption.
- Maximum PECR fines now sit at £17.5M or 4% of global turnover.
DUAA Sections 105-108 amend PECR Regulation 6 to add five exempt cookie categories: strictly necessary (the existing carve-out), statistical/analytics for service improvement, system security and fraud detection, software updates, and interface customisation. They activated on 5 February 2026.
No. The exemption requires the SOLE purpose of the cookie to be improving the service. GA4 shares data with Google for advertising audiences, attribution and Google Ads linking by default, which breaks the sole-purpose test. The Stevens & Bolton reading and the Data Protection Network guidance both state advertising linkage falls outside DUAA’s exemptions.
Only for cookies that genuinely fit one of the five exceptions, and only if you still offer a free, simple opt-out at first use for the statistical category. Most WooCommerce stores running GA4, Meta Pixel or Google Ads tags still need a consent banner because those tags do not qualify.
It means the cookie must serve only the named exempt purpose — for the analytics category, that is service improvement. If the same cookie or pipeline also feeds advertising audiences, attribution or remarketing, the sole-purpose test fails and consent is still required.
A first-party server-side pipeline that captures events on your own domain and uses them only for internal analytics — with no fan-out to GA4, Meta CAPI, Google Ads, TikTok or any other ad platform. The data has to stay inside your control end to end.
Run your tracking on your own server, not someone else’s ad platform. See how Transmute Engine handles first-party WooCommerce analytics →
