Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

UK GDPR — Brexit's Privacy Law

How the UK's version of GDPR works, how it differs from the EU version, and what it means for your cookie consent.

The UK General Data Protection Regulation is the UK’s post-Brexit privacy law. It’s the EU GDPR, adapted for UK law. For most practical purposes, it’s the same thing.

But there are differences, and they’re starting to matter.

How it came to be

When the UK left the EU in 2021, the EU GDPR no longer applied directly. The UK incorporated it into domestic law as the “UK GDPR.” It works alongside two other laws:

  • Data Protection Act 2018, which sets UK-specific exemptions and establishes ICO powers
  • Privacy and Electronic Communications Regulations (PECR), which governs cookies and direct marketing

All three are enforced by the Information Commissioner’s Office (ICO).

UK GDPR vs EU GDPR: the differences

For websites and cookie consent, the two are nearly identical. Same seven principles. Same data subject rights. Same consent standard.

Where they diverge:

  • The UK GDPR is administered by the ICO, not EU supervisory authorities
  • The UK can amend it independently, and has started doing so
  • The Data (Use and Access) Act 2025 (effective February 2026) introduced significant changes

The 2025 reform: DUAA

The Data (Use and Access) Act 2025 amended the UK GDPR. Key changes:

  1. New cookie exemptions. Limited new categories of cookies exempt from consent requirements
  2. New lawful basis. “Recognised Legitimate Interests” (RLI), a seventh lawful processing ground for specific public-interest contexts
  3. Expanded ICO powers. ICO can now impose GDPR-level fines for certain PECR breaches, including cookie consent violations

This is a big deal. Before DUAA, PECR cookie fines were capped at £500,000. Now the ICO can hit you with the same fines as a full GDPR violation.

UK cookie consent rules come from PECR, which implements the EU ePrivacy Directive. The rules:

  • Non-essential cookies require prior, informed consent
  • Consent must be given through a clear affirmative action
  • Pre-ticked boxes are not valid consent
  • “Continue browsing” is not valid consent
  • Accept and reject options must be equally prominent

Fines run up to £17.5 million or 4% of global annual turnover, whichever is greater. Post-DUAA, this applies to cookie consent violations too.

Who must comply

  • Any organization processing personal data of people in the UK
  • Foreign businesses with UK customers or website visitors
  • No thresholds. No exceptions for small businesses.

International transfers

The UK grants “adequacy” status to the EU (data can flow freely between the UK and EU). Transfers to other countries require appropriate safeguards, similar to EU GDPR rules.

How Zest handles it

Zest’s consent mechanism is built to meet both EU GDPR and UK GDPR standards. Prior consent, granular choices, documented records, easy withdrawal. PECR-compliant cookie blocking. One script covers both sides of the Channel.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.