Regulating cookies without consent: the risks of the UK’s new exemptions

The regulation of cookies captures the central dilemma of contemporary data protection of reconciling usability with genuine accountability. Originally designed for basic website functions, cookies now underpin cross-site tracking and large-scale profiling, making them a focal point of privacy law. Historically, consent acted as the external safeguard, offering a verifiable signal of user choice. The recent Data (Use and Access) Act 2025 shifts this model by widening exemptions for analytics, preferences, security, and emergencies, replacing prior consent with data controller self-assessment. This article argues that the reform weakens accountability and risks legitimising covert tracking. It demonstrates this by showing, first, that modern data pipelines cannot sustain purpose exclusivity, meaning that data collected under one exemption is routinely repurposed for others. Second, it exposes the fragility of opt-out mechanisms, which are fragmented, easily lost, and demand continual user vigilance. Third, it highlights how reliance on opaque internal balancing undermines the principles of fairness, transparency, and trust. The article concludes that narrow, provable exemptions, anchored in consent as the default rule, remain the only credible means of protecting user autonomy while supporting innovation. Without this recalibration, the regulatory shift entrenches discretion at the expense of enforceable privacy safeguards.