Who: The Information Commissioner’s Office (ICO)
Where: United Kingdom
When: 29 April 2026
Law stated as at: 13 May 2026
What happened
The ICO has published its final guidance on the use of storage and access technologies (previously its “detailed cookies guidance”). The guidance explains how the Privacy and Electronic Communications Regulations (PECR) and data protection law apply when organisations use technologies that store information on, or access information stored on, a person’s device.
The technologies covered by the guidance include, but are not limited to, cookies, tracking pixels, link decoration and navigational tracking, local storage, device fingerprinting, and scripts and tags. The ICO notes that this list is not exhaustive and that the examples given for each technology are illustrative only.
Data (Use and Access) Act changes
The update to the guidance follows two consultations. The first, launched in December 2024, sought views on a significant update to the previous detailed cookies guidance and was paused pending the anticipated passage of the Data (Use and Access) Act 2025 (DUA Act) in June 2025. The second, launched in July 2025 after the DUA Act was passed, focused on the changes to PECR introduced by the legislation.
In particular, the ICO has addressed three new exceptions to the prohibition on storing or accessing information on people’s devices without consent: the statistical purposes, appearance and emergency assistance exceptions. These exceptions became effective in February.
New exceptions
The “statistical purposes” exception applies when the sole purpose of the storage or access is to enable an organisation to collect statistical information about how its service or website is used, with a view to making improvements. The exception is essentially for analytics purposes, but it is not a broad exception covering all types of analytics technologies. It concerns how the service is used, not who uses it, albeit it can capture both first-party and third-party technologies used for this purpose.
This processing is likely to involve collecting individual-level information, which may constitute personal data (for example, where it relates to a specific visitor). If so, an organisation must also comply with the UK General Data Protection Regulation. Activities likely to meet this exception include information on: total website visits (for traffic analysis to understand user journeys), user interactions with pages (to understand scroll depth or hits on page sections), device types, browser or operating system versions used to access the service, referral sources, page loading speeds or exit pages (to detect browsing issues).
The “appearance” exception applies when the purpose of the storage or access is to adapt the way a service appears or functions in line with the subscriber’s or user’s preference. This exception does not cover adapting content based on known or inferred interests or behaviours (for example, using their profile or browsing history to decide what content to promote or which advert to serve). Such purposes require consent. Examples of activities likely to meet this exception include: identifying monitor dimensions to reconfigure a webpage to adapt to a screen, remembering the user’s language selection, and detecting operating system preferences such as colour schemes (for example, “dark mode”).
The statistical purposes and appearance exemptions require a user to be provided with a “simple and free” means to opt-out.
The “emergency assistance” exception applies when the sole purpose of the storage or access is to identify the geographical position of the subscriber’s or user’s device to provide emergency assistance. Unlike the emergency calls exception in regulation 16 of PECR, this exception is not limited to location data as defined by PECR or to emergency calls. It extends to GPS-based location information from smartphones, tablets, sat-navs or other devices, allowing organisations to process a broader range of location information for emergency assistance purposes.
Unhelpfully, the guidance explains that these exceptions can only be relied on where storage and access technologies are only used for purposes covered by the exceptions and not for any other purpose at the same time. According to the ICO, if one purpose meets the requirements of an exception but another does not, user consent is required for the storage or access. Given that these technologies are routinely used for multiple purposes, this represents a significant obstacle in practice.
Online advertising and tracking strategy update
The new PECR exceptions do not apply to online advertising. The ICO has, however, been exploring whether the PECR consent requirements are preventing the development and adoption of more privacy-preserving forms of online advertising. As a result of this work, the ICO published its advice to the government in May. This is intended to help inform government policymaking as it explores whether to create an exception for some online advertising purposes, using secondary legislation under regulation 6A of PECR.
The ICO analysed a range of online advertising activities and considered which ones pose a lower risk to people’s privacy and could therefore be considered for exemption from regulation 6 consent. In its advice to government, the ICO set out its preferred approach, under which first-party publisher sites would facilitate most of the functionality. Publishers could store and access certain information on a user’s device for specific purposes, subject to defined criteria.
The purposes that the ICO proposes could be permitted without consent are: ad delivery, targeting, measurement and billing, attribution, frequency capping, brand safety and ad fraud prevention and detection. Third-party data access would only be permitted for controlled use cases (for example, where the online service provider engages a third party to carry out processing activities to assist them in achieving this purpose). Where information is processed by both the online service and supporting third parties, safeguards would be required to mitigate the risks of identifiability and tracking. The ICO also considered an alternative approach that would more closely align with how the programmatic ecosystem currently works, recognising that that would be faster for industry participants to implement and require less innovation. However, it explained that this is not its preferred approach because of the greater risk of harm to users, more extensive data-sharing with third parties and enforcement challenges.
The ICO believes that amending regulation 6 could bring practical benefits: websites and apps would not always need to request consent where only low-risk advertising is involved, reducing consent fatigue, while maintaining a requirement for consent where advertising relies on more intrusive tracking or profiling.
Why this matters
The PECR consent requirement guidance covers a broad and non-exhaustive range of storage and access technologies, not just cookies. The new exceptions are good news for providers of online services. It is notable that although the new exceptions have been in effect since February, few in-scope websites or apps appear to have adopted them in practice. This may reflect the fact that the guidance was only finalised at the end of April. Businesses may have been reluctant to rely on the exceptions in the absence of finalised regulatory guidance, the narrow scope of the new exceptions, the ICO’s approach to multi-purpose technologies and the difficulty of making changes in the UK that cannot currently be extended to the EU.
Where a business uses tracking technologies for advertising purposes, for now, nothing has changed. However, the ICO’s advice to government on changes that could be made to the PECR to facilitate more privacy-preserving forms of online advertising without consent is a first step in a different direction…
