Why We Built Recorde Around Compliance First
When DUAA 2025 came into effect, it quietly changed the rules for UK web analytics. Most businesses missed it. Most tools ignored it. We built a product around it.
When DUAA 2025 came into effect, it quietly changed the rules for UK web analytics. Most businesses missed it. Most tools ignored it. We built a product around it.
Here is what we learned, and why compliance was not a constraint we worked around but the foundation we built on.
The Problem With Cookie Consent Was Always the Data Loss
Before DUAA 2025, UK businesses running web analytics were caught in a difficult position. GDPR required explicit consent before setting analytics cookies, which meant every visitor had to actively agree to be tracked. Most did not. Industry estimates put the consent rejection rate at 40 to 60%, meaning that for a typical UK website, between four and six out of every ten visitors were invisible to the analytics dashboard.
This is not a minor data quality issue. It is a structural blind spot. Conversion funnels are incomplete. Marketing decisions get made on data that represents, at best, half of what is actually happening.
The standard response was to accept it as the cost of compliance. What changed in 2025 is that there was no longer a need to accept it.
What DUAA 2025 Actually Changed
The Data (Use and Access) Act 2025 introduced a new legal basis for analytics in the UK. Under the old consent model, you needed a "yes" before you could track anything. Under DUAA, analytics can operate without prior consent, provided four conditions are met:
- The sole purpose is collecting aggregate statistics
- A clear privacy notice explains what is being collected
- A simple, one-click opt-out mechanism is available at all times
- The data is not used for advertising purposes
This is a meaningful shift. The consent popup, the "accept/reject" banner that has become a fixture of the modern web, is no longer legally required for analytics under UK law. What remains required is transparency: a privacy notice and an accessible opt-out. That is a very different compliance model, and it is one that does not cost you 40 to 60% of your data.
It is also UK-specific. If your site has EU visitors, GDPR still applies to them. DUAA applies to UK visitors. The two can coexist, and the practical result for most UK-focused businesses is that the vast majority of their audience can now be tracked without consent friction.
Why We Took Compliance Seriously From Day One
When I decided to build Recorde, the obvious temptation was to treat compliance as a feature to add later. Build the analytics first. Make the dashboard good. Add the legal bits at the end.
We did the opposite. The compliance model came first, and everything else was built around it.
The reason is straightforward: getting DUAA compliance wrong does not just create a legal risk for us. It creates a legal risk for every business using the product. An analytics platform that claims DUAA compliance but misses the opt-out requirement, or generates inadequate privacy notices, or collects data it should not be collecting, exposes its customers to ICO enforcement. That is not a product anyone should be building.
So we started with the law. We worked through the ICO's official DUAA 2025 guidance. We documented each of the four requirements and what a technically compliant implementation looks like. Then we built the compliance infrastructure first, before the dashboard, before the visualisations, before any of the features that make analytics software feel polished.
What Compliance Looks Like in Practice
For Recorde, DUAA compliance is not a checkbox. It is the architecture.
The tracking script collects no personally identifiable information. IP addresses are used only to resolve the visitor's country and are discarded immediately. Session IDs rotate daily, so it is technically impossible to track an individual across multiple days. There are no cookies, no fingerprinting, no cross-site data sharing.
Every Recorde account comes with an auto-generated privacy notice, written in plain English, ready to add to a website's footer or a dedicated privacy page. It explains what is collected, why, and how to opt out. It is designed to meet the DUAA requirement for a "clear explanation provided to users."
The opt-out mechanism is built into the tracking script itself. One call, window.analytics.optOut(), persists the opt-out preference and stops all data collection immediately. It is always available, it always works, and it cannot be accidentally removed.
There is also a compliance dashboard inside every account. It shows, at a glance, whether all four DUAA requirements are met: the clear explanation, the opt-out, the aggregate-only collection, and the no-advertising restriction. Green across the board means the implementation is compliant. If something is missing, the dashboard tells you what to fix.
The Accuracy Problem With Compliance Shortcuts
One thing we got wrong early on was overstating what DUAA allows. Early messaging suggested businesses could "remove all cookie banners," which is not quite right. A privacy notice is still required. An opt-out is still required. The consent popup goes away, but the transparency obligations remain.
We corrected this quickly, and the correction turned out to matter. Being upfront about what the law requires, rather than selling a version of compliance that sounds more convenient than it is, built trust with early users. They were evaluating a compliance tool. They needed to trust that the positioning was accurate before they trusted the product with their data.
Honest compliance positioning is also good product design. If your marketing implies you can do things the law does not actually permit, you attract customers who will eventually find out you were wrong. That is a churn problem. Being accurate about what DUAA allows and what it requires means the customers who sign up understand exactly what they are getting, and they stay.
What Building Compliance First Taught Us
The most practical lesson was that compliance constraints are design constraints, and design constraints make products better. Limiting session IDs to daily rotation, discarding IP addresses immediately, collecting only aggregate data: none of these were just legal requirements. They turned out to be the right technical decisions anyway, because they made the product simpler, lighter, and faster.
The tracking script is under 3KB gzipped. That is partly because it does not need to carry the complexity of a cookie management system, a consent state machine, or a cross-site tracking infrastructure. Removing those things because the law required it also removed a lot of code weight.
The privacy notice generator exists because DUAA requires it. It also turns out to be genuinely useful: most small businesses and independent developers do not know how to write a GDPR or DUAA-compliant privacy notice, and having one auto-generated, ready to copy, removes a real friction point.
Compliance first is not a slower path to a good product. It turns out to be a faster one, because it forces clarity about what the product is actually supposed to do.
If You Are Running Analytics on a UK Website
The compliance model has changed. You can remove the consent popup for UK visitors. You cannot remove the privacy notice or the opt-out. That distinction matters, both legally and for the conversion rate impact you can honestly claim.
If your current analytics tool still requires a consent banner for UK visitors, it is not built for DUAA 2025. That does not mean it is breaking the law, because the old consent model is still valid. But it does mean you are still losing 40 to 60% of your UK visitor data when you do not have to.
We built Recorde to fix that, and we built the compliance in first.
Recorde Analytics is a cookie-free web analytics platform built natively for DUAA 2025. All data is hosted in the UK. Pricing starts at £9 per month.