UK GDPR — Brexit's Privacy Law
How the UK's version of GDPR works, how it differs from the EU version, and what it means for your cookie consent.
The UK General Data Protection Regulation is the UK’s post-Brexit privacy law. It’s the EU GDPR, adapted for UK law. For most practical purposes, it’s the same thing.
But there are differences, and they’re starting to matter.
How it came to be
When the UK left the EU in 2021, the EU GDPR no longer applied directly. The UK incorporated it into domestic law as the “UK GDPR.” It works alongside two other laws:
- Data Protection Act 2018, which sets UK-specific exemptions and establishes ICO powers
- Privacy and Electronic Communications Regulations (PECR), which governs cookies and direct marketing
All three are enforced by the Information Commissioner’s Office (ICO).
UK GDPR vs EU GDPR: the differences
For websites and cookie consent, the two are nearly identical. Same seven principles. Same data subject rights. Same consent standard.
Where they diverge:
- The UK GDPR is administered by the ICO, not EU supervisory authorities
- The UK can amend it independently, and has started doing so
- The Data (Use and Access) Act 2025 (effective February 2026) introduced significant changes
The 2025 reform: DUAA
The Data (Use and Access) Act 2025 amended the UK GDPR. Key changes:
- New cookie exemptions. Limited new categories of cookies exempt from consent requirements
- New lawful basis. “Recognised Legitimate Interests” (RLI), a seventh lawful processing ground for specific public-interest contexts
- Expanded ICO powers. ICO can now impose GDPR-level fines for certain PECR breaches, including cookie consent violations
This is a big deal. Before DUAA, PECR cookie fines were capped at £500,000. Now the ICO can hit you with the same fines as a full GDPR violation.
Cookie consent in the UK
UK cookie consent rules come from PECR, which implements the EU ePrivacy Directive. The rules:
- Non-essential cookies require prior, informed consent
- Consent must be given through a clear affirmative action
- Pre-ticked boxes are not valid consent
- “Continue browsing” is not valid consent
- Accept and reject options must be equally prominent
Fines run up to £17.5 million or 4% of global annual turnover, whichever is greater. Post-DUAA, this applies to cookie consent violations too.
Who must comply
- Any organization processing personal data of people in the UK
- Foreign businesses with UK customers or website visitors
- No thresholds. No exceptions for small businesses.
International transfers
The UK grants “adequacy” status to the EU (data can flow freely between the UK and EU). Transfers to other countries require appropriate safeguards, similar to EU GDPR rules.
How Zest handles it
Zest’s consent mechanism is built to meet both EU GDPR and UK GDPR standards. Prior consent, granular choices, documented records, easy withdrawal. PECR-compliant cookie blocking. One script covers both sides of the Channel.