UK GDPR and PECR: Cookie Consent After Brexit

What is the UK GDPR after Brexit? See how it works with the Data Protection Act 2018 and PECR, the fine cap, and what the Data (Use and Access) Act 2025 changed.


by Riad Us Salehin • 4 July 2026


The UK GDPR is the UK's version of the General Data Protection Regulation, retained in domestic law after Brexit. Alongside the Data Protection Act 2018, it controls how organisations handle personal data and gives people rights over it. Cookie consent runs on a separate law, PECR, enforced by the ICO.

Two things changed recently. The Data (Use and Access) Act 2025 is now fully in force and amends all three laws. Separately, the EU renewed the UK's adequacy status through 27 December 2031. This guide covers both, plus the principles, your rights, the fine cap, and what your cookie banner must do.

What Is the UK GDPR?

The UK GDPR (UK General Data Protection Regulation) is the retained EU law version of the General Data Protection Regulation, Regulation (EU) 2016/679. The European Union (Withdrawal) Act 2018 brought it into UK law, effective since 1 January 2021. It sets the rules for how organisations process personal data and grants data subjects a defined set of rights.

The UK GDPR essentially mirrors the EU GDPR's text, article for article, but it is a legally distinct instrument. Since Brexit, the UK Parliament can amend it independently of the EU. The Data (Use and Access) Act 2025 is the first major example: it changes several UK GDPR provisions while leaving the EU version untouched.

UK GDPR vs the Data Protection Act 2018 and PECR: How They Fit Together

UK data protection runs on three laws that work together, not one. The UK GDPR sets the core rules and rights for processing personal data.

The Data Protection Act 2018 supplements it with UK-specific detail. It covers special category data conditions, exemptions, and the age at which someone counts as a child for data protection purposes. It also covers law-enforcement and intelligence-service processing that the UK GDPR does not reach.

The Privacy and Electronic Communications Regulations 2003, PECR, sets the rules for cookies, electronic marketing, and similar technologies. This third law answers the question website owners actually ask most: which law requires a cookie banner?

The answer is PECR, not the UK GDPR directly. PECR's regulation 6 sets the basic cookie rule: tell people the cookies are there, explain what they do and why. Get their consent before storing a non-essential cookie on their device.

PECR borrows the UK GDPR's consent standard rather than defining its own: freely given, specific, informed, and given through an unambiguous positive action. That overlap is why the two laws are so often confused.

LawWhat it governsRole for your website
UK GDPRCore rules and rights for processing personal dataSets the consent standard PECR borrows; governs what you do with data once collected
Data Protection Act 2018UK-specific detail: special category data, exemptions, law enforcementRarely touches a typical commercial website directly
PECR 2003Cookies, electronic marketing, and similar technologiesThe law that actually requires your cookie banner

All three laws are now amended by the Data (Use and Access) Act 2025, covered below.

The 7 Principles of the UK GDPR

Anyone who handles personal data must follow seven data protection principles, set out in Article 5 of the UK GDPR.

  1. Lawfulness, fairness, and transparency: process data legally and explain it clearly
  2. Purpose limitation: use data only for the purpose you collected it for
  3. Data minimisation: collect only what you need
  4. Accuracy: keep data correct and up to date
  5. Storage limitation: do not keep data longer than necessary
  6. Integrity and confidentiality: secure data against unauthorised access or loss
  7. Accountability: demonstrate your own compliance with the other six principles

Article 5(2) adds accountability as a standalone obligation: a controller must be able to demonstrate compliance, not just achieve it. Breaching these principles sits in the highest fine tier under Article 83(5)(a).

What Rights Does the UK GDPR Give People?

The UK GDPR gives individuals eight rights over their personal data.

  • Right to be informed: know how your data is being used
  • Right of access: request a copy of your data (a Subject Access Request)
  • Right to rectification: have incorrect or incomplete data corrected
  • Right to erasure: have data deleted in certain circumstances, often called the right to be forgotten
  • Right to restrict processing: limit how your data is used without deleting it
  • Right to data portability: get your data in a reusable format to move to another service
  • Right to object: object to processing in certain circumstances, including direct marketing
  • Rights related to automated decision-making and profiling: protection against decisions made solely by automated means that significantly affect you

Subject access requests only require a "reasonable and proportionate" search since the Data (Use and Access) Act 2025 clarified the standard, covered further below.

Who Has to Comply with the UK GDPR?

Any organisation established in the UK that processes personal data must comply. So must any organisation outside the UK that offers goods or services to, or monitors the behaviour of, people in the UK.

  • UK-established organisations processing personal data, as either a controller (decides why and how data is used) or a processor (processes data on a controller's behalf)
  • Overseas organisations that offer goods or services to individuals in the UK
  • Overseas organisations that monitor the behaviour of individuals in the UK

A US e-commerce store shipping to UK customers falls under the UK GDPR through the second test, even without a UK office.

An organisation caught by the UK GDPR but with no UK establishment must usually appoint a UK representative. The main exceptions are public authorities and processing that is occasional, low-risk, and does not involve large-scale special category or criminal-offence data. The representative acts as the organisation's point of contact for the ICO and for the people whose data it processes.

How Does the UK GDPR Differ from the EU GDPR?

The UK GDPR and the EU GDPR share the same core principles and rights, but they are legally distinct since Brexit.

UK GDPREU GDPR
Territorial scopeUK-established organisations, plus overseas organisations targeting UK individualsEU/EEA-established organisations, plus overseas organisations targeting EU/EEA individuals
Supervisory authorityThe Information Commissioner's Office (ICO) aloneA network of national authorities, coordinated through a "one-stop-shop" system
Maximum fineUp to GBP 17.5 million or 4% of global turnoverUp to EUR 20 million or 4% of global turnover
Cross-border transfersThe EU renewed the UK's adequacy status on 19 December 2025, valid to 27 December 2031; the UK sets its own separate transfer regime for data leaving the UKGoverned by the EU's own adequacy and transfer framework

An organisation handling both UK and EU personal data must comply with both regimes side by side. Adequacy makes data flow between them easier, but it does not merge the two laws into one. For the EU-side rules in full, see the General Data Protection Regulation.

UK GDPR Fines and How the ICO Enforces It

The Information Commissioner's Office (ICO) is the UK's sole data protection regulator. It investigates complaints, issues enforcement notices, and fines organisations that breach the UK GDPR, the DPA 2018, or PECR.

Fines fall into two tiers. The higher tier covers breaches of the basic data protection principles or individual rights. It caps at GBP 17.5 million or 4% of worldwide turnover, whichever is higher. The standard tier covers less severe administrative or technical violations, capped at GBP 8.7 million or 2% of turnover, whichever is higher.

PECR breaches, including a non-compliant cookie banner, historically carried a far lower penalty ceiling than the UK GDPR. The Data (Use and Access) Act 2025 raises the maximum PECR penalty sharply, moving it toward UK GDPR levels. It stays a separate ceiling from the two tiers above, though.

The ICO decides the actual fine case by case, weighing the nature of the breach, the organisation's response, and its cooperation with the investigation.

The Data (Use and Access) Act 2025: What Changed

The Data (Use and Access) Act 2025, or DUAA, is a UK reform. It amends, but does not replace, the UK GDPR, the Data Protection Act 2018, and PECR. It received Royal Assent on 19 June 2025, and its data protection provisions were phased in over the following year. As of the ICO's June 2026 confirmation, all of them are now in force.

  • Cookies: some low-risk cookies, such as those used for statistical purposes or to improve site functionality, can now be set without consent
  • Recognised legitimate interests: a new lawful basis that removes the need to run a balancing test for specific activities, such as crime prevention or safeguarding
  • Automated decision-making: a simplified regime that allows more automated decisions, with restrictions concentrated on special category data
  • Subject access requests: organisations only need to make "reasonable and proportionate" searches to respond to a request
  • Complaints: a new duty to provide an electronic complaints form, acknowledge complaints within 30 days, and respond without undue delay
  • ICO powers and structure: the ICO gains new investigatory powers, such as compelling a witness to attend an interview. It is also restructuring from a corporation sole into a corporate body

The DUAA did not abolish the UK GDPR. It reshapes specific provisions inside the same three-law framework covered above. The UK GDPR, the DPA 2018, and PECR all remain in force, amended rather than replaced.

UK Cookie Consent Rules: What Your Banner Must Do

A UK website must get consent before setting non-essential cookies and let visitors refuse as easily as they accept.

  • Get prior, opt-in consent before setting analytics, advertising, or social-media cookies
  • Give visitors an equally easy "Reject" option alongside "Accept": consent is not valid if declining takes more effort than accepting
  • Never rely on implied consent, scrolling, or pre-ticked boxes as a substitute for an active choice
  • Set strictly necessary cookies, such as a shopping basket or a login session, without consent
  • Set the DUAA's newly exempt low-risk cookies, such as basic analytics or functionality cookies, without consent where they qualify
  • Tell visitors what cookies you use and why, in clear and comprehensive language
  • Keep a record of each visitor's consent choice

Banners without a working reject option are a recurring, publicly documented problem on UK sites. A widely upvoted UK privacy forum thread on cookie-banner compliance found non-compliant banners on both large and small sites. One top reply estimated that more than half of sites store non-essential cookies before the visitor makes any choice.

Meeting the GDPR's rules for cookie banners closes that specific gap. For the full compliance checklist, see how to make your website GDPR compliant.

How Consently Helps You Meet UK Cookie Consent Rules

Consently supports the consumer-facing side of UK cookie compliance. That means a GDPR opt-in banner with equal Accept and Reject controls, automatic cookie scanning, and a timestamped consent record.

Consently shows UK visitors a GDPR-style opt-in banner with clear Accept and Reject buttons built to the same weight, the parity UK cookie rules require. The banner supports region-based display. A site serving both UK and US visitors can show each audience its own model, opt-in or opt-out, from the same account.

Two features handle the detection and evidence side. Automatic cookie scanning and pre-consent auto-blocking find the cookies, trackers, scripts, and iframes on your site. Non-essential ones stay blocked until a visitor consents, so nothing fires before the choice is made.

Consent logs with export keep a timestamped record of each visitor's decision, useful if the ICO ever asks for proof of compliance. Consently's cookie and privacy policy generators produce the disclosure documents PECR and the UK GDPR expect you to publish.

Consently does not make a site "UK GDPR compliant" on its own. It also does not act as a UK or EU representative, and it does not detect a visitor's browser-level Global Privacy Control signal. Policy generators assist with disclosure; they are not legal advice.

Consently's GDPR cookie consent tools are free to try for 14 days. Try Consently free to see the opt-in banner and consent log in your own dashboard.

FAQs

Is the UK still under GDPR after Brexit?

Yes. The UK kept the GDPR as the "UK GDPR," retained in domestic law since 1 January 2021 under the European Union (Withdrawal) Act 2018. It runs as UK law, separate from but closely aligned with the EU GDPR.

Is the UK GDPR the same as the EU GDPR?

No, though they share the same principles and rights. The UK GDPR is regulated solely by the ICO, and its fines are set in pounds, up to GBP 17.5 million. It can also diverge from the EU version, as the Data (Use and Access) Act 2025 already has.

What is the difference between the UK GDPR and the Data Protection Act 2018?

The UK GDPR sets the core rules and rights for processing personal data. The Data Protection Act 2018 supplements it with UK-specific detail: special category data conditions, exemptions, and law-enforcement processing the UK GDPR does not cover.

Do I need a cookie banner under UK law?

Yes, if your site sets non-essential cookies. PECR requires prior opt-in consent for them, with an equally easy reject option. Strictly necessary cookies, and a few newly exempt low-risk cookies under the Data (Use and Access) Act 2025, do not need consent.

What are the maximum UK GDPR fines?

Up to GBP 17.5 million or 4% of total annual worldwide turnover, whichever is higher, for the most serious breaches. Less severe breaches carry a lower ceiling of up to GBP 8.7 million or 2% of turnover.

Does the UK GDPR apply to companies outside the UK?

Yes. It reaches organisations outside the UK that offer goods or services to, or monitor the behaviour of, people in the UK. Most of those organisations must appoint a UK representative.

Did the Data (Use and Access) Act 2025 abolish the UK GDPR?

No. The DUAA amends the UK GDPR, the Data Protection Act 2018, and PECR; it does not replace any of them. All of its data protection provisions are now in force.

UK GDPR and PECR together decide most of what a UK website has to do about cookies. The Data (Use and Access) Act 2025 has already reshaped parts of both. For the deeper PECR mechanics behind your cookie banner, read the UK cookie rules under PECR.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.