Skip navigation

How the Data Use and Access Act 2025 affects Google Analytics cookies

Chris Todhunter

My passion for all things tech started with programming a ZX81 as a kid and hasn't wavered during the 25+ years of working in the sector. Being at the helm of an agency (with my amazing business partner, Jack de Wolf) has meant that we have been able build something we are truly proud of. A brilliant team of committed, passionate individuals with a common aim - to use our skills and our 9-5 to use in making a positive difference through the work we do with our amazing charity clients.

Chris Todhunter, Founder and Technical Director

The Data Use and Access Act 2025 (DUAA) has come into effect, bringing with it some important updates to how we handle cookies and user data. For charities using Google Analytics to understand supporter behaviour and improve digital experiences, the changes bring more flexibility than you might expect.

Here’s what’s changing, how it affects first-party cookies, and what you need to do to stay compliant while continuing to collect meaningful insights.

What is the DUAA?

From the ICO:
“The DUAA is a new Act of Parliament that updates some laws about digital information matters. It changes data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protects people and their rights. Most of the changes offer you an opportunity to do things differently, rather than needing you to make specific changes to comply with the law.”

How does the Act affect the use of cookies?

First-party cookies are used for things like remembering preferences or storing the contents of a shopping basket, and are only accessible by the website that created them. Third-party cookies are used by external services such as Google Ads and YouTube, and have been under tight control through the GDPR regulation.

Under the DUAA, the biggest shift is how analytics cookies are treated. Up until this change, they had to have opt in consent to be used, but they are now covered by this specific exemption.

What’s changing for Google Analytics?

If you use Google Analytics to collect anonymous, aggregated data about how people use your site (and you don’t use it for profiling or advertising) you no longer need to get explicit opt-in consent before setting those cookies.

Instead, you must:

  • Provide clear information about what these cookies do and why you’re using them

  • Offer an easy way for users to opt out of this type of data collection

This is a significant change. It means you can use Google Analytics without users having to explicitly opt in, as long as you’re transparent and give users a clear route to opt out.

If you’re using Google Analytics 4 (GA4), you’ll already have access to more privacy-focused features like IP anonymisation and shorter data retention windows. These help reinforce your commitment to data minimisation and user trust.

What you should do now

If you’re a charity relying on Google Analytics to measure performance or improve user journeys, here’s how to adapt:

  1. Update your cookie policy
    Explain in plain English what your analytics cookies do, how they help, and how users can opt out if they choose.

  2. Adjust your cookie controls
    Instead of asking for opt in consent, give users a visible and accessible way to opt out of analytics cookies.

  3. Configure GA4 for privacy
    Limit how long data is stored, turn on anonymisation features, and disable options you don’t need.

  4. Keep accessibility and inclusion front of mind
    Make sure any cookie controls are easy to navigate, screen reader-friendly, and usable on all devices.