The UK Data (Use and Access) Act 2025 received Royal Assent in June 2025. You may have read the headlines: analytics cookies are getting an exemption. Consent banners might not be required. Here’s what those headlines left out: the exemptions are not yet in force. Secondary legislation is still pending. And while the consent rules are unchanged, the maximum PECR fine just jumped from £500,000 to £17.5 million. WooCommerce stores removing their consent banners based on DUA Act coverage are taking on more legal risk, not less.
The ICO found 134 of 200 top UK websites non-compliant with cookie rules in its January 2025 review — and then announced it would assess the top 1,000 UK sites across the year. This is what active enforcement looks like. Here is what the DUA Act actually changed, what is still pending, and what your WooCommerce store should do in the meantime.
What the DUA Act 2025 Actually Changed
Let’s be clear on what the DUA Act did and didn’t do, because the two are running in parallel and most coverage conflates them.
What changed immediately: The maximum PECR fine ceiling. Previously £500,000 — a figure the ICO had pushed against for years as insufficient to deter large tech platforms. The DUA Act raised it to £17.5 million or 4% of global annual turnover, whichever is higher. This aligns PECR penalties with GDPR’s maximum tier and took effect with the Act.
What the Act introduced but has not yet enacted: A framework for analytics cookie exemptions. The DUA Act creates a legal basis for certain analytics uses to qualify as exempt from the prior consent requirement — but the secondary legislation that defines exactly which analytics uses qualify, under which conditions, and with what safeguards has not been published. Without that secondary legislation, the exemption framework is a structure without rules. Consent requirements remain unchanged.
The question isn’t whether the DUA Act matters. It does. The question is timing — and the timing means that the window between “fine ceiling doubled” and “exemptions in force” is exactly the wrong moment to drop your consent banner.
You may be interested in: The ‘Legitimate Interests’ Toggle in Your WordPress Cookie Plugin Is a GDPR Trap
GA4 on WooCommerce: Still Non-Essential, Still Requires Consent
The ICO’s position on GA4 analytics cookies has not changed with the DUA Act. GA4 analytics cookies are non-essential under PECR — they are not required for the website to function, and they collect behavioral data for purposes beyond service delivery. Non-essential cookies require prior consent before placement.
This means your GA4 tracking script, your Facebook Pixel, your Microsoft Clarity — all of it requires consent under the existing rules, which are the rules in force today.
Some legal commentary has suggested the ICO may informally soften enforcement ahead of the exemptions landing. The ICO’s own published enforcement programme says otherwise: assessment of the top 1,000 UK websites for PECR compliance, active throughout 2025. The gap between informal softening and formal exemption is not a gap worth testing with a £17.5 million ceiling in place.
The Fine Trap: Higher Risk Right Now, Not Lower
Here’s the structural problem with removing consent banners now. The two DUA Act provisions most relevant to WooCommerce stores move in opposite directions.
The analytics cookie exemption — the provision that would reduce your consent obligations — is pending secondary legislation. It isn’t law yet. The maximum fine increase — the provision that increases your exposure if you’re non-compliant — took effect immediately.
Acting on the exemption before it’s in force, while the enlarged fine ceiling applies, is the highest-risk position a WooCommerce store can take right now.
Mayer Brown and Clifford Chance both flagged this in their DUA Act analyses: the enforcement gap between Royal Assent and secondary legislation is precisely the period when stores that read headlines rather than legislation are most exposed. The ICO has not published formal guidance indicating it will pause enforcement while secondary legislation is drafted. Its 2025 website compliance programme is running regardless.
You may be interested in: Does Your WooCommerce Tracking Plugin Fire Pixels Before Consent Is Given?
What to Do While You Wait
The DUA Act exemptions will eventually land — most legal analysis points to mid-to-late 2026 for secondary legislation. When they do, qualifying analytics uses may no longer require prior consent. Here’s the thing: even when exemptions are in force, the data quality problem doesn’t disappear. Consent rejection rates in the EU run at 40–70%. UK rates are lower but not negligible. You’ll still be missing a portion of user data.
The structural answer — before, during, and after exemptions — is to reduce your dependency on client-side cookie placement entirely. Transmute Engine™ runs as a first-party Node.js server on your own subdomain. The inPIPE WordPress plugin captures WooCommerce events at the server hook level and routes them via API to the Transmute Engine, which delivers to GA4, Facebook CAPI, Google Ads, and BigQuery simultaneously — without placing cookies in the browser. No client-side cookie placement means no PECR trigger for those events. The consent banner question becomes structurally less critical when your core tracking architecture doesn’t depend on cookie consent to function.
Key Takeaways
- The DUA Act cookie exemptions are not in force. Secondary legislation is pending. Do not remove your consent banner based on DUA Act headlines — the legal basis for doing so doesn’t exist yet.
- The fine ceiling doubled immediately. The maximum PECR fine is now £17.5 million or 4% of global turnover. This took effect with the Act, before any exemptions apply.
- GA4 still requires consent. The ICO’s position on analytics cookies as non-essential under PECR has not changed. Consent is required until the secondary legislation formally enacts the exemption framework.
- ICO enforcement is active. 134 of 200 top UK sites failed compliance review in January 2025. The ICO is assessing the top 1,000 sites throughout 2025. This is not a softening environment.
- Use the lead time architecturally. Server-side tracking reduces client-side cookie dependency now — giving you compliant data collection today and a strong position for however the exemptions land.
Frequently Asked Questions
No — not yet. The DUA Act received Royal Assent in June 2025 and introduced an analytics cookie exemption framework, but the secondary legislation defining which analytics uses qualify is still pending as of early 2026. Until that legislation is enacted, PECR’s existing consent requirements apply in full. Removing your banner now increases legal risk — the maximum PECR fine also rose to £17.5 million under the same Act.
Two significant changes: it introduced a framework for analytics cookie exemptions (not yet in force, pending secondary legislation), and it raised the maximum PECR fine from £500,000 to £17.5 million or 4% of global annual turnover. The fine increase took effect immediately. The cookie exemptions did not. WooCommerce stores face higher penalties for non-compliance while the rules themselves remain unchanged.
Not yet. The ICO confirmed GA4 analytics cookies as non-essential under PECR, requiring prior consent. The DUA Act created a pathway for analytics exemptions, but the secondary legislation defining qualifying criteria has not been enacted. GA4 requires consent on UK websites until formal exemptions take effect — expected mid-to-late 2026 at the earliest based on current legislative timelines.
Since the DUA Act 2025, the maximum PECR fine is £17.5 million or 4% of global annual turnover — whichever is higher. This is a 35-fold increase from the previous £500,000 ceiling. The ICO is actively reviewing the top 1,000 UK websites for PECR compliance throughout 2025.
Keep your consent banner in place and compliant. Monitor ICO guidance for updates on DUA Act analytics exemptions — expected mid-to-late 2026. Use the lead time to implement server-side tracking that reduces client-side cookie dependency, so that when exemptions do land you’re already capturing data without relying on consent-gated cookie placement.
Don’t act on the exemption before it’s law. The secondary legislation will land — watch the ICO’s formal guidance announcements, not the press releases. In the meantime, your consent banner stays up and your tracking architecture gets smarter. seresa.io