If you’ve noticed your website analytics looking odd lately like fewer tracked visits, less reliable source data; you’re not imagining it. More people are rejecting cookies (or never clicking “yes”), and if you haven’t noticed the UK’s rules just shifted under our feet.
For companies and marketers, that means your visible user-behaviour might be shrinking even if your actual audience hasn’t. For normal folks (that’s your website users), it means more choice but also more confusion about what cookies actuallydo.
So, in this blog, we’ll look at what cookies are, what they do, and what it means for companies, users and marketers.
Got your glass of milk? Okay, let’s dig in.
What are cookies?
Unfortunately, we’re not talking aboutn the chocolate chip kind. Instead, think of cookies like post-it notes your browser (Chrome, Firefox, Safari – whatever you use to access the internet) leaves behind so websites remember things. Some of them make your life easier, others can be less helpful.
The different types of cookies:
- Strictly necessary cookies: Without these the site wouldn’t work properly. For example: you log-in to a portal, click to another page, and you stay logged in.
- Functional cookies: These remember your settings. For example: you switch to “dark mode” or choose to view in English. When you come back, the site remembers.
- Analytical/performance cookies: These help the website owner answer “what are people doing on my site?”. For example: “How long do users stay on our blog post about cookies?”
- Advertising/tracking cookies: These are the ones that follow you around. For example: you looked at sofas online and next thing you see sofa ads everywhere else.
- First-party vs third-party cookies: A first-party cookie is set by the site you’re on. A third-party cookie is set by another domain (like an ad network). These are often the sneakiest.
Glossary
- Session cookie: lasts only while you’re visiting the site; once you close the browser it disappears.
- Persistent cookie: stays on your device until it expires or you delete it.
- Consent management platform (CMP): the tool that pops up “do you accept cookies?” on websites.
What’s changed in the UK for cookies
In June 2025, the Data (Use and Access) Act 2025 (or DUAA) received Royal Assent (the formal step that turns a bill passed by Parliament into law). It’s not just legal jargon; it’s rewriting how cookies and similar tech will be handled in the UK. According to law-firm analysis: “a little more flexibility for low-risk cookies, and a lot more incentive to get compliance right.”
Here’s what’s going on:
- The Act adds narrow new exceptions (for analytics, appearance) where cookies might not require full prior consent if you’re super clear with users and offer an easy opt-out.
- But (and it’s a big but): if you’re using cookies for ad-tracking, attribution, targeting then you still need full consent. No shortcut.
- New fines: breaches of the older rules ran up to £500k; the new rules align the maximum with UK-GDPR-style penalties (think millions) for storage/access tech like cookies.
- According to Cookie Information the regulator (Information Commissioner’s Office or ICO) found that 134 of 200 of top UK sites failed basic cookie compliance in their recent audit.
So yes, the law’s changing, but enforcement and real-world impact are already happening. If you’re wondering why your tracking looks fuzzy, that might be why.
Why your analytics (or traffic) might look rubbish right now
You might have noticed that your eblasts or social ad campaigns are showing X about of click throughs to your website, but your website is only showing Y amount. Before you panic: your audience probably hasn’t vanished. What’s changed is what you can measure.
When a user declines non-essential cookies, their session might not appear in your analytics at all. One industry article summarises: “If a user declines cookies, their session may be invisible”.
So your reports may show fewer visits, fewer conversions, weird attribution gaps but the real world behaviour (someone read your blog, someone clicked your CTA) could still happen.
If you rely on cross-site tracking (third-party cookies) or detailed user profiling for ads you’re likely in for a shock, because browsers and regulation are closing the loopholes.
The bottom line: fewer measured events = more blind spots. Not bad marketing, but more partial data.
What this means for companies + marketing agencies
If you run a website or manage campaigns, now’s the time to know what you’re setting. Run a cookie audit: list every cookie, who sets it, how long it lives, and why you need it. You’ll be amazed (or horrified) at how many plugins or third-party tools sneak in cookies, and you had no clue.
Next, re-visit your consent banner. It should let users a real choice not an “accept all
trap or hidden settings buried in fine print. The ICO’s already called our brands for manipulative designs, so it’s not worth the risk.
Now for the big one: third-party cookies. These are the trackers set by someone other than your own website like Meta pixels, LinkedIn Insights tags, Google Ads, and other cross-site identifiers. They’re what let you follow users across platforms and measure ad performance.
That doesn’t make them bad, but it does make them fragile. Browser updates and new laws are phasing them out in favour of first-party data (information you collect directly, like newsletter sign-ups, survey responses, or event registrations) and privacy-safe alternatives such as aggregated insights or server-side conversions.
Not familiar with these? No worries. Aggregated insights mean that instead of following one person across the web, data gets grouped. For example, instead of “Sarah clicked the ad and bought shoes,” you see “312 people clicked this ad and 47 bought shoes.” You still get useful trends just without personal fingerprints attached.
Server-side conversions move tracking away from the browser (and cookies) to your website or app’s own secure server. For instance, if someone fills out a form on your site, the event (“form submitted”) is logged on your server and securely sent to your ad platform without storing personal data in their browser. You still know the campaign worked; you just skip the invasive bits.
TL; DR: your campaigns on Meta, LinkedIn, or Google still work, but the tracking behind them is getting fuzzier. You’ll see trend data, not crystal-clear user journeys.
So, what should you do? Distinguish between analytics and advertising. Under the Data (Use and Access) Act 2025, analytics or “appearance” cookies might not need prior consent if you’re transparent and offer an easy opt-out. But advertising or profiling cookies still require an explicit “yes.”
And finally, keep perspective. Your data will never be perfect again and that’s okay. The smart move now is to focus less on micro-tracking and more on creative storytelling, first-party insights, and user trust. At dot + del, we tell clients the same thing: when your marketing’s transparent, your audience listens.
What it means for everyday people (users)
If you click “reject all non-essential cookies” congrats, you’re part of a growing majority. You’ll still be able to browse, shop, and stream, but the experience might feel a bit, dumber. You might get fewer personalised ads, but that site that used to remember your login? You might have to type it in again. That news site that kept your preferred font size? Back to default.
That’s because cookies aren’t just for advertisers; they often make your internet experience smoother. Without them, you’ll see more pop-ups, slower load times, and fewer personalised touches. Think of it like clearing your memory every time you walk into a room… liberating, sure, but also mildly annoying.
Still, rejecting cookies doesn’t make you invisible. There are plenty of other ways sites measure engagement, from aggregated analytics (counting actions, not people) to anonymous event data. The bottom line is cookies aren’t out to get you. They’re trying to make the web remember you. The trick is balance: sharing enough to make your online life easier, without oversharing to the point it feels creepy.
Myths about cookies debunked
- Myth: “Cookies = spying on me every second.”
Reality: Many cookies just help the site work better; the real “spying” ones are usually third-party, cross-site tracking cookies. - Myth: “Rejecting all cookies makes me totally invisible.”
Reality: You’ll reduce tracking but devices, apps, networks, smart speakers may still collect data. It’s rarely zero. - Myth: “If I have Alexa or a Google Home, cookies are irrelevant anyway.”
Reality: Smart devices often collect totally separate data streams so if you’re worried about listening devices, you’ve bigger things to ponder than website cookies.
In short: cookies are part of the machine. Blocking them all might hurt your experience unless you’re willing to lose convenience for privacy.
What to do next
For business owners + marketers: Start with a proper cookie-audit. Find out what’s running on your site. Then choose to simplify your stack, ask fewer data questions, build better permission flows. Understand that fewer cookies = fewer measurable events = shift your mindset to trust, transparency, creativity.
For regular users: Before clicking “accept all”, pause. Read a few lines of the banner (yes, we know you hate banners). Decide whether you want personalised experience or generic, repeat steps or convenience. Basic functional cookies often improve your experience so you might actually want them.
For content + marketing teams: Don’t panic at every “metric drop.” If your session counts fall, investigate whether cookie consent or tracking changes are causing the drop; not necessarily a drop in interest. Adapt your reporting so you measure what you can, not what you can’t.
Final thoughts
Cookies aren’t the enemy. Confusion is.
The new UK rules aren’t a free-for-all or a total clamp-down; they’re a nudge toward honesty. For companies, that means no more hiding behind “accept all” banners and fuzzy privacy pages. For users, it means taking two seconds to decide what you’re comfortable sharing instead of clicking whatever gets you to the content fastest.
As marketers and communicators, we’re in the middle. We rely on data to learn what works (and what doesn’t), but we also owe people clarity about what we collect and why. This means helping clients understand these changes without fearmongering and finding creative ways to pivot so they can still reach their target audience effectively.
At dot + del we help brands navigate shifts like this. Not just by measuring what you can track, but by clarifying what you should track and how to communicate with your audience, build trust, and do better marketing in the process.
What to learn more? Get in touch.
FAQ
Q: What are cookies and why do websites use them?
A: Cookies are small text files stored on your device by websites to remember information. They enable things like staying logged in, remembering preferences, tracking visits, or delivering ads.
Q: Do I have to accept cookies in the UK?
A: No, but if you reject non-essential cookies, certain tracking/advertising features might not work. The site should still operate if it uses only strictly necessary cookies.
Q: What happens if I reject all cookies?
A: You’ll still usually be able to access the site, but you may lose convenience (settings won’t be remembered) and you won’t be part of the tracking data the site uses to improve experience or run targeted ads.
Q: Are cookies dangerous?
A: In most cases, no. The biggest risk comes from third-party tracking cookies and other deeper tracking tech (like device fingerprinting). The website cookies remembering your preferences are low risk.
Q: What’s the difference between first-party and third-party cookies?
A: First-party: set by the domain you’re visiting. Third-party: set by external domains (e.g., ad networks) which often aim to track across websites.
Q: How can businesses stay compliant under the new UK law?
A: They need to audit cookies, classify them, review consent flows, ensure non-essential cookies get proper opt-in and provide users with easy opt-out. Advertising/tracking cookies still need explicit consent under the new regime.
