// SCOPE
Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting the United Kingdom. Sectoral rules (healthcare, banking, employment, financial promotions) are touched only where they intersect with the analytics layer.
Applicable laws
The legal framework that governs personal data processing here.
National addons
Country-specific statutes layered on the EU baseline.
DPA 2018
Data Protection Act 2018
UK domestic supplement to UK GDPR. Implements GDPR-derogations: child-consent age, special-category permissions, employment, criminal-offence data, intelligence-services regime, and ICO enforcement powers. Part 3 covers law-enforcement processing; Part 4 covers intelligence services.
- UK GDPR Art 8(1) Child-consent age — set at 13 (UK lowered from GDPR default 16 via Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019); DPA 2018 supplements but does not itself fix the age
- s. 10 Special-category data — Schedule 1 conditions for processing
- s. 119 ICO information notices and inspection powers
- s. 170 Criminal offence — knowingly or recklessly obtaining personal data
PECR Stricter
Privacy and Electronic Communications (EC Directive) Regulations 2003
Cookies + electronic marketing + traffic/location data + unsolicited communications. Regulation 6 governs cookie/terminal-equipment access; Regulation 22 governs email/SMS marketing. ICO enforces with fines up to £500K (pre-DUA Act) — DUA Act 2025 raises PECR fines to UK GDPR levels (up to £17.5M or 4% global turnover).
- Reg 6 Cookies and similar technologies — informed consent required, except strictly-necessary
- Reg 22 Email/SMS marketing to individuals — prior consent (with narrow soft opt-in for existing customers)
- Reg 23 Sender identification + unsubscribe in every marketing message
DUA Act 2025
Data (Use and Access) Act 2025
First substantial post-Brexit reform of UK data law. Adds a 'recognised legitimate interest' list, narrows DPO/DPIA obligations, introduces analytics + low-risk cookie carve-out from PECR Reg 6 prior-consent, recasts automated-decision rules, raises PECR fines to UK GDPR levels, and creates the new Information Commission (replacing the single ICO model — staffed transition through 2026).
- Sch 12 PECR Reg 6 reform — consent not required for low-risk analytics, software updates, audience-measurement aggregated stats
- s. 70 Recognised legitimate interests list — no LIA needed for listed purposes
- s. 80 PECR penalty alignment — fines up to £17.5M or 4% global turnover
- Sch 14 Information Commission established — replaces sole-Commissioner ICO governance
AADC Stricter
Age Appropriate Design Code (Children's Code)
15 standards for online services likely to be accessed by children under 18. Default settings must be high-privacy; profiling off by default; geolocation off by default; no nudge techniques. ICO uses the Code to assess analytics, advertising tech, and recommendation systems on consumer-facing services.
- Std 7 Default settings — high privacy by default for under-18s
- Std 9 Data minimisation — collect only what is needed for the specific element of service
- Std 10 Data sharing — disabled by default unless compelling reason
- Std 11 Geolocation — off by default; obvious sign when active
Regulators
Supervisory authorities that interpret and enforce privacy law here.
FEDERAL
ICO · Information Commissioner's Office
Sole UK-wide data protection regulator for UK GDPR, DPA 2018, PECR, NIS Regulations, eIDAS, Freedom of Information Act, and Environmental Information Regulations. Transitioning to the new Information Commission under the DUA Act 2025 through 2026.
State / Land DPAs · 3 authorities
| Land / state | Authority | Note | |
|---|---|---|---|
| Scotland | Scottish Information Commissioner | FOI(S)A only — no data-protection jurisdiction; ICO covers UK GDPR/PECR across Scotland | site ↗ |
| Northern Ireland | ICO Belfast Regional Office | ICO regional office, not separate regulator | site ↗ |
| Wales | ICO Wales Regional Office | ICO regional office, not separate regulator | site ↗ |
Coordination body
ICO25 Strategy · ICO Three-Year Strategic Plan
ICO's published priorities — children's privacy, AI, biometrics, online tracking, public-sector accountability. Sets the enforcement and guidance agenda; non-binding but signals where investigations land.
- 2023-08-01 · Cookie banner sweep — ICO wrote to top 100 UK websites warning that 'reject all' must be as easy as 'accept all' — equal-prominence requirement reaffirmed.
- 2024-01-31 · Cookie compliance update — Follow-up sweep — ICO confirmed many top sites improved; published Q1 2024 review; signalled enforcement against persistent non-compliers.
- 2024-12-09 · Consent-or-Pay (pay-or-okay) — ICO consultation response — 'consent or pay' models can be lawful but require genuine choice, fair pricing, and freely-given consent test mirroring EDPB Op 08/2024.
- 2025-06-19 · DUA Act analytics carve-out — Royal Assent — analytics and low-risk cookies no longer require prior consent if information is provided and users can object. ICO guidance on the new regime expected through H2 2025–H1 2026.
Notable enforcement
The UK has the highest profile of any non-EU European regulator. ICO's headline UK GDPR fines tend to land 60–90% below initial intention-to-fine notices (BA £183M → £20M; Marriott £99M → £18.4M) — a pattern that survived Brexit. Post-2023 the ICO has shifted toward PECR enforcement (cookies, marketing) and children's-data cases, which align with its ICO25 strategic priorities. The DUA Act 2025 raises PECR fines to UK GDPR levels (£17.5M / 4% turnover), so PECR enforcement risk increases through 2026.
GA4 status
GA4 is more comfortably usable in the UK than under most EU member states. ICO requires informed consent for non-essential cookies under PECR Reg 6 plus a reject-equal-prominence button; the DUA Act 2025 carves out low-risk audience-measurement analytics from prior-consent (subject to ICO guidance still being finalised). Transfers to Google LLC are covered by the UK Extension to the DPF (effective 12 Oct 2023) — no TIA required while certification holds. Google Consent Mode v2 is the ICO-aligned implementation pattern.
| DPA | Stance |
|---|---|
| ICO | Permissive — DPF + Consent Mode v2 + reject-equal-prominence banner is acceptable; analytics carve-out under DUA Act expected to widen permissibility through 2026. |
| ICO Children's Code team | Stricter on services likely accessed by children — profiling off by default; GA4 Signals + Audiences should be disabled for under-18 audiences. |
Cross-border transfers + Schrems II
The UK Extension to the EU-US Data Privacy Framework took effect on 12 October 2023. UK exporters can rely on DPF certification for transfers to UK-extension-certified US importers. ICO position is permissive — no TIA required for DPF transfers, though documenting reliance is recommended. The UK-EU adequacy decision was renewed by the European Commission in December 2025 for a further six years, removing two-way friction.
UK uses the International Data Transfer Agreement (IDTA) and the UK Addendum to the EU SCCs — both issued under DPA 2018 s. 119A and effective from 21 March 2022. Pre-existing EU SCCs were valid until 21 March 2024; from that date all new transfers require IDTA or the Addendum. ICO published a TIA tool but treats it as guidance rather than a hard requirement.
Employee data
Key thresholds
Child consent age
13 years
Article 27 representative
Required
Marketing consent
Double opt-in
Vendor signals
Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.
Analytics tools · 12 · 6 green · 5 yellow · 1 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII). | |
| GREEN | Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config. | |
| GREEN | EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany. | |
| GREEN | German-hosted, cookieless, GDPR-aligned by design. | |
| GREEN | EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required. | |
| GREEN | Open-source, cookieless, fully self-hostable. Default-green when self-hosted. | |
| YELLOW | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. | |
| YELLOW | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. | |
| YELLOW | Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green. | |
| YELLOW | EU residency available on paid plans; default cloud is US. Identifies users by default — needs config. | |
| YELLOW | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. | |
| RED | Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization. |
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate. | |
| GREEN | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. | |
| GREEN | Open-source, self-hosted. No managed updates — site owner maintains vendor list. | |
| GREEN | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults. | |
| GREEN | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
Tag managers · 1 · 0 green · 1 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| YELLOW | Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended. |
Session replay · 3 · 0 green · 0 yellow · 3 red
| Vendor | Status | Rationale |
|---|---|---|
| RED | Full session capture — highest-risk category. Explicit consent + DPIA + strict retention. | |
| RED | Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent. | |
| RED | Session replay + Microsoft tracking. DPIA + explicit consent required. |
Ad pixels · 3 · 0 green · 0 yellow · 3 red
| Vendor | Status | Rationale |
|---|---|---|
| RED | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. | |
| RED | Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem. | |
| RED | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. |
Server-side · 3 · 2 green · 1 yellow · 0 red
| Vendor | Status | Rationale |
|---|---|---|
| GREEN | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. | |
| GREEN | EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. | |
| YELLOW | "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
Compare with neighbors
Side-by-side rule comparison.
Common questions
Is Google Analytics legal in the UK in 2026?
Yes, with proper configuration. GA4 is usable in the UK with informed consent under PECR Reg 6 plus a reject-equal-prominence button on the cookie banner. Transfers to Google's US servers are covered by the UK Extension to the EU-US DPF (in force from 12 October 2023). The Data (Use and Access) Act 2025 introduces a low-risk analytics carve-out from prior-consent — ICO guidance on the exact scope is being finalised through 2026, but Consent Mode v2 + reject-equal-prominence is the safe default.
What's the difference between UK GDPR and EU GDPR?
UK GDPR is the EU GDPR retained as a domestic UK statute after Brexit (effective 1 January 2021), supplemented by the DPA 2018 and amended by the DUA Act 2025. Substantively very close to EU GDPR, with UK-specific differences: child-consent age 13 (vs EU default 16), recognised-legitimate-interest list (DUA Act 2025), narrower DPIA/DPO triggers post-DUA Act, and ICO as sole regulator. Companies operating across both regimes need parallel UK and EU mechanisms (UK rep + EU rep, IDTA + SCCs).
How does the ICO position differ from the EDPB?
The ICO is generally more pragmatic and outcomes-focused than the EDPB. Examples: ICO's fines are typically reduced 60–90% from initial intention-to-fine notices; ICO accepts DPF without requiring TIA documentation; ICO permits 'consent-or-pay' models with conditions (vs EDPB Op 08/2024's stricter posture); ICO's analytics carve-out under DUA Act 2025 has no EU equivalent. The ICO is also a member of the Global Privacy Assembly and coordinates internationally, but is no longer bound by EDPB guidelines.
What changed under the DUA Act 2025?
The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. Key changes for analytics: (1) low-risk audience-measurement analytics no longer require prior consent under PECR Reg 6; (2) recognised legitimate interests list — no LIA needed for listed purposes; (3) narrower DPO and DPIA triggers; (4) PECR fines raised to UK GDPR levels (up to £17.5M / 4% global turnover); (5) the Information Commission replaces the sole-Commissioner ICO governance model (transition through 2026). ICO guidance is being published in tranches through H2 2025–H1 2026.
Is the UK still adequate to the EU after Brexit?
Yes. The European Commission granted UK adequacy on 28 June 2021 with a 4-year sunset. In December 2025 the Commission renewed UK adequacy for a further six years (through 2031), confirming that the DUA Act 2025 reforms did not break essential equivalence with EU law. EU-to-UK transfers remain free of additional safeguards. The ICO maintains parallel UK adequacy decisions for all jurisdictions previously listed by the European Commission.
Does the UK still require a 'reject all' button on cookie banners?
Yes. The ICO's August 2023 letter to top-100 UK websites and follow-up Q1 2024 sweep reaffirmed that 'reject all' must be as prominent and as easy to access as 'accept all'. Pre-ticked boxes, dark patterns, and friction on rejection are PECR Reg 6 violations. The 2024 Sky Betting & Gaming reprimand is the canonical case. The DUA Act 2025 analytics carve-out narrows what needs consent but does not remove the equal-prominence requirement for tracking that still requires consent.
What is the Children's Code (AADC) and does it apply to my analytics?
The Age Appropriate Design Code is a statutory ICO code in force since 2 September 2021. It applies to information society services 'likely to be accessed by children' under 18 — including most consumer websites and apps. 15 standards: high-privacy defaults, data minimisation, profiling off by default, geolocation off by default, no nudge techniques, DPIAs mandatory. For analytics: GA4 Signals + Audiences should be disabled for child-facing services; session-replay tools require explicit DPIA and parental-consent gating. The TikTok £12.7M fine and Snap 'My AI' reprimand were both AADC-driven.
Does Schrems II logic still apply to UK transfers?
For transfers to non-DPF-certified US importers, yes — the UK GDPR's Chapter V is materially identical to EU GDPR, so Schrems II reasoning survives. For DPF-certified importers (Google LLC, Microsoft, Meta, etc.) the UK Extension to the DPF (12 October 2023) provides adequacy, and the ICO does not require a TIA. For non-DPF transfers UK exporters use the IDTA or the UK Addendum to EU SCCs (in force since 21 March 2022). The ICO published a TIA tool but treats it as guidance.
Do I need a UK Article 27 representative?
Yes if you are a non-UK controller or processor offering goods/services to or monitoring the behaviour of people in the UK, unless the small-business exception applies (occasional processing only, no large-scale special-category data, low risk to rights). The UK rep is separate from any EU Article 27 rep — non-EU/non-UK companies serving both markets need both. The ICO has published clear guidance and several enforcement notices have addressed UK rep non-designation.
What about the Online Safety Act 2023 — is that the UK's DSA equivalent?
The Online Safety Act 2023 (in force from 26 October 2023, with phased Ofcom commencement through 2025) is the UK's broad analogue to the EU Digital Services Act, but the regulator is Ofcom, not the ICO. It targets illegal content, child safety, and user empowerment on user-to-user services and search. Overlap with UK GDPR is at the edges: age-assurance technology, profiling, and recommender-system transparency. Most analytics deployments are not directly regulated by the OSA — but child-facing services must align AADC + OSA obligations.
// EDITORIAL · NOT LEGAL ADVICE This page summarises United Kingdom's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.