The ICO finalised its storage and access technologies guidance on 29 April 2026, and most UK WooCommerce cookie banners were built against the wrong document. The final version adds two new sub-chapters — ‘simple means of objecting’ and ‘multiple purposes for same technology’ — plus a new chapter on DUAA exceptions that did not exist in the consultation draft. Stores running Complianz, CookieYes or Real Cookie Banner configured against the December 2024 update or the July 2025 re-consultation now have to re-audit against the final guidance (ICO, 2026).
Two New Sub-Chapters Changed What Cookie Banners Have To Do
The draft most CMPs were tuned against came out of the December 2024 update and the July 2025 DUAA re-consultation. Reasonable starting points at the time. The April 29 final is not a cosmetic edit.
What ‘Simple Means of Objecting’ Actually Requires
The new sub-chapter is short. The implication is large.
The reject path has to be at least as simple as the accept path. Same number of clicks. Same prominence. No ‘Accept All’ on the first layer with ‘Reject All’ buried two screens deep behind ‘Customise’.
Most WooCommerce banners running default Complianz, CookieYes or Real Cookie Banner configurations from 2024 do not pass this test. The 2024 norm was a two-button bar with ‘Accept All’ as the prominent action and ‘Customise’ or ‘Manage Preferences’ as the alternative — which usually opens a panel where the user has to toggle individual purposes off, then save.
That asymmetry is the exact pattern the new sub-chapter targets. Translation: your reject button has to be on the first layer, equally prominent, with one click producing the same end state as one click on Accept All.
The ‘Multiple Purposes for Same Technology’ Rule
The second new sub-chapter handles a problem CMPs have been quietly fudging for years. One cookie, more than one purpose.
Common case: a session cookie used for cart persistence (strictly necessary) and for site analytics (not strictly necessary). Older banner configs sometimes treated the cookie as essential because one of its purposes was. The April 29 sub-chapter pushes the other way: if any purpose attached to a cookie or technology requires consent, the whole cookie requires consent.
The strictest applicable basis governs. That changes how a CMP should classify GTM containers, Facebook _fbp cookies, GA4 client identifiers and any analytics tag whose data is also used for advertising audiences.
You may be interested in: The Mike Teasdale 90% Drop When a Cookie Banner Lies to Google
The New Exceptions Chapter Maps DUAA Onto PECR
The third addition is the most overlooked. The final guidance now contains a dedicated chapter explaining how DUAA’s five new exceptions sit on top of PECR Regulation 6.
The chapter restates that the strictly-necessary exemption keeps its narrow meaning — basket persistence, login sessions, security tokens — and clarifies that the four new categories (statistical/analytics for service improvement, security and fraud, software updates, interface customisation) come with their own qualifying conditions. The statistical exemption in particular requires a ‘sole purpose’ test and a free, simple opt-out at first use. Maximum PECR fines under DUAA now reach £17.5M or 4% of global turnover (Stevens & Bolton, 2026).
Why this matters for stale banners: many CMP rule sets configured pre-DUAA classify cookies into ‘necessary / preferences / statistics / marketing’ — old taxonomies that do not map cleanly onto the new exception structure. The exceptions chapter is the ICO’s first explicit cross-walk between DUAA wording and the categories CMPs actually use.
Which CMP Configurations Are Now Stale
Complianz, CookieYes and Real Cookie Banner all have UK presets. Those presets need a version check.
The questions to put to your current setup:
- Does the first banner layer have a Reject All button equal in prominence to Accept All? If not, you fail ‘simple means of objecting’.
- Does any cookie classified as ‘necessary’ also serve a non-essential purpose? If yes, the strictest applicable basis governs and consent is now required.
- Does the consent UI present DUAA exceptions accurately, or does it still use a 2024 cookie taxonomy? Old taxonomies blur statistical-exemption nuance.
- Has the policy text been updated to reference the 29 April 2026 final? Pointing at superseded guidance is itself a credibility signal in any complaint review.
The new PECR complaints procedure activates on 19 June 2026 with a 30-day acknowledgment window. Whatever banner state your store is in by then is the state being measured.
You may be interested in: The Cookieless Tracking Myth: What You Actually Lose
The Architecture Question Behind the Banner Question
Stale CMP configurations are downstream of a bigger problem. WooCommerce stores running GA4, Meta Pixel and Google Ads tags will need a consent banner under any reasonable reading of the April 29 guidance — the new exceptions chapter does not change that. The banner debate is really an architecture debate.
Here’s how you sidestep most of it. Transmute Engine™ is a first-party Node.js server that runs on your own subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin captures WooCommerce events and sends them via API to your Transmute Engine server, which can route only to internal destinations — your own warehouse, your own dashboards — without involving GA4, Meta or Google Ads. That is the architecture the statistical exemption assumes you already have.
Key Takeaways
- The ICO’s storage and access technologies guidance was finalised on 29 April 2026.
- Two new sub-chapters — ‘simple means of objecting’ and ‘multiple purposes for same technology’ — change banner design and cookie classification.
- A new exceptions chapter maps DUAA’s five carve-outs onto PECR Regulation 6.
- ‘Simple means of objecting’ requires a one-click reject path equal in prominence to Accept All.
- Where a cookie has multiple purposes, the strictest applicable basis governs the whole cookie.
- Re-audit your CMP against the 29 April 2026 final, not the December 2024 or July 2025 draft.
The final version adds two new sub-chapters — ‘simple means of objecting’ and ‘multiple purposes for same technology’ — and a new ‘what are the exceptions?’ chapter that explains how DUAA’s five carve-outs interact with PECR Regulation 6. Banners configured against the December 2024 or July 2025 drafts have not been audited against this content.
Yes — re-audit against the 29 April 2026 final guidance, not the draft your CMP was originally configured for. The ‘simple means of objecting’ sub-chapter in particular requires a reject path that is at least as simple as the accept path, which many older configurations do not provide.
It means giving the user a way to refuse non-essential cookies that is genuinely as simple as accepting them — the same number of clicks, the same prominence, no dark patterns. Two-button banners with ‘Accept All’ and ‘Reject All’ on the first layer satisfy it. ‘Accept All’ plus ‘Customise’ usually does not.
It addresses the case where one cookie or pixel serves more than one purpose — for example, a cookie used for both analytics and advertising. The ICO position in the sub-chapter is that the strictest applicable basis governs the whole cookie. If any purpose needs consent, consent is needed for the cookie.
It explains how DUAA’s five carve-outs interact with the existing strictly-necessary exemption. For most WooCommerce stores running GA4, Meta Pixel and Google Ads, the practical impact is that none of those tags fall inside an exception, so the consent banner stays — and now has to be configured against the final guidance.
Re-audit your banner against the April 29 final, not the draft your CMP shipped with. See how Transmute Engine handles first-party WooCommerce analytics →
