Are Analytics Cookies Exempt From Consent in the UK in 2026?

The Data (Use and Access) Act 2025 took effect on 5 February 2026 and, for the first time, opens the door for some UK websites to run basic analytics without a consent banner, at least in theory (this is where most people get tripped up). If you’re using Google Analytics 4, the real question isn’t the law: it’s whether your current setup quietly breaks it.

What did the Data (Use and Access) Act 2025 change about cookies?

In practice, this means a very specific type of analytics setup can run without consent, but only if you keep it tightly limited (and most default setups don’t).

Before February 2026, UK websites operated under PECR (Privacy and Electronic Communications Regulations). PECR required consent for any non-essential cookie, including analytics. The DUAA 2025 changes this by introducing an exemption for analytics cookies that are strictly limited in scope.

You don’t get this exemption just for using analytics. Your setup has to line up with the Act conditions exactly, there’s not much wiggle room. If it does not, you still need consent.

What conditions does an analytics cookie need to meet to be exempt?

To qualify, an analytics cookie has to stay within four fairly strict limits, and this is where a lot of otherwise ‘simple’ setups fall short: it can only measure activity on your own site, it cannot follow people elsewhere online, you cannot share the data with third parties, and visitors must still be able to opt out.

The ICO’s interpretation of the DUAA 2025 conditions is:

• 1) the cookie is used solely to understand how visitors use your own website, not for advertising or profiling.
• 2) it does not follow users across other websites or apps.
• 3) the data is not passed to any third party, including ad networks.
• 4) users can opt out of being tracked, even under the exemption.

Out of the box, Google Analytics 4 usually does not qualify mainly because features like Google Signals and data sharing are switched on by default (and many people never touch these settings). You would need to switch off Google Signals, disable all data sharing, and reduce the retention period. Essentially stripping GA4 back to a very minimal, first-party-only setup.

Does Google Analytics 4 qualify for the analytics cookie exemption?

GA4 can qualify, but only if you disable data sharing with Google, turn off signals, and configure data retention correctly, none of which are on by default.

In GA4’s default setup, data is shared with Google for advertising features, and Google Signals is often enabled. Both of these involve sharing data with a third party, which disqualifies the cookie from the DUAA 2025 exemption.

To configure GA4 for the exemption, go to Admin > Data Settings > Data Collection. Turn off “Google signals data collection.” Then, go to Admin > Data Settings > Data Sharing. Disable all data sharing with Google products and services.

Also check Admin > Data Settings > Data Retention. Set the retention period to the minimum (2 months for event data). Keeping data for 14 months, for example, is much harder to justify if you’re claiming you only collect the bare minimum.

Finally, review any other tools connected to your GA4 property. If any of them receive user data from the same analytics setup, the exemption does not apply.

Do I still need a cookie banner if I only use Google Analytics?

If your GA4 is correctly configured for the exemption, you may not need a consent banner for analytics cookies, but you still need a cookie notice and may need a banner for any other non-essential cookies.

You still need to tell visitors what you are using and why. The only thing the exemption changes is that, in some cases, you no longer need them to click ‘Accept’.

If your site uses any other non-essential cookies such as Facebook Pixel, Hotjar, live chat or retargeting, those are not covered by the analytics exemption. You still need consent for those. In reality, a typical small business site might be running GA4 alongside something like Hotjar for heatmaps or the Facebook Pixel for ads, and either of those brings the consent banner straight back.

The Information Commissioner’s Office has said it plans to publish guidance for small businesses later in Spring 2026, but until then there is still some uncertainty around how strictly the new exemption will be interpreted. Until that guidance is published, the safe approach is to keep a consent banner and configure GA4 for the exemption as an additional step. A cautious approach here isn’t overkill, it’s what most developers and agencies are sticking with until clearer guidance lands

Even if your analytics are compliant, your site still needs the usual legal pages and company details.

UK law also requires a privacy policy, terms and conditions, and specific business information on your website. If you are unsure whether your site includes all of those elements, it helps to run through a simple checklist before changing your cookie banner.

Check your website now →

What should I do right now if I’m using GA4 on a small business website?

If you are reviewing your site now, start with the analytics settings, then check what other cookies are loading, and finally update your cookie notice.

Work through the GA4 settings above. Then open your site in a private browser and use Developer Tools (F12 > Application > Cookies) to see what else is loading. If you spot a cookie you don’t recognise, it’s usually coming from a plugin or third-party tool and it’s worth tracking down before making any changes.

For the broader picture on when a cookie banner is legally required, our guide to whether UK websites need a cookie banner covers the full legal framework.

If you’d rather have a site where we handle everything from day one, Duport builds your website with the correct compliance settings already in place. We manage those configuration details during the build, so you won’t have to dig through GA4 settings or second-guess compliance later. It’s live in 72 hours.

Duport’s website build starts from £360. Mention this article when you get in touch and we’ll honour the £144 rate.

Get your website sorted →

FAQs

• Does the DUAA 2025 analytics exemption apply to all UK websites?

It applies to UK-based websites that use analytics cookies meeting the DUAA 2025 conditions. If your website targets users in the EU or EEA, EU cookie law (ePrivacy Directive) still applies and requires consent regardless of UK domestic law.

• Do I need to tell visitors I’m using analytics cookies even if I don’t need their consent?

Yes. You’re skipping the consent step, not the explanation, visitors still need to know what’s happening. Your cookie notice or privacy policy must still describe what analytics cookies you use and how visitors can opt out.

• What is “Google Signals” and why does it matter for the exemption?

Google Signals links analytics data to signed-in Google users across devices. This involves sharing data with Google — which disqualifies the analytics exemption under DUAA 2025. Turn it off in GA4 > Admin > Data Settings > Data Collection.

• What happens if I get the GA4 configuration wrong?

If your GA4 setup does not meet the DUAA 2025 conditions and you remove your consent banner, you are setting non-essential cookies without consent. That puts you in breach of PECR. The ICO can issue fines of up to £500,000 for serious PECR breaches.

• Is my Wix or Squarespace website legally compliant in the UK?

Not automatically. UK law requires your website to include a privacy policy, a cookie notice, clear terms and conditions, and specific business information — such as your registered company name and number if you’re a limited company. Most website builders include template pages for some of these, but they don’t check whether your content is accurate or complete. Use our free website compliance checker to see what your site has and what it’s missing.

Check your website →

Rebecca