The ICO has issued updated guidance about the use of storage and access technologies with the primary aim of giving regulatory certainty to organisations. It explains how the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) and where relevant, data protection law apply when organisations use technologies that store information, or access information stored, on someone’s device (for example, a computer or mobile phone). The guidance is aimed at providers of online services, including web or app developers, who need a deeper understanding of how PECR applies to the use of storage and access technologies.
The technologies PECR applies to include (but is not limited to):
- cookies;
- tracking pixels;
- link decoration and navigational tracking;
- local storage;
- device fingerprinting; and
- scripts and tags.
The guidance also covers the UK GDPR, where using these technologies involves processing personal data. It does not cover other areas of PECR outside of Regulation 6, except where relevant to the use of storage and access technologies, or wider compliance obligations with the Data Protection Act 2018 and UK GDPR when using storage and access technologies, unless they are relevant to PECR requirements.
The ICO says:
- the guidance is a significant update to the detailed cookies guidance. It aims to clarify and reference the range of storage and access technologies that are widespread today alongside cookies, through examples throughout.
- the guidance has been rewritten using “must”, “should”, or “could” language to provide regulatory clarity to readers.
- the guidance reflects recent case law and ICO positions on key topics, including a new section on the ICO’s expectations for online advertising.
The ICO says that using storage and access technologies for online advertising purposes requires consent. This applies both in the context of the technical processes involved in ad selection and delivery, as well as any associated tracking and profiling. Ad measurement does not require a separate consent, as collecting information for measuring the effectiveness of campaigns is intrinsically linked to the purpose of online advertising. In principle, contextual advertising more readily enables organisations to comply both with the PECR requirements as well as UK GDPR obligations than other types of targeted advertising.
The guidance also touches on cookie walls and pay or consent models. A cookie wall — sometimes called a ‘tracking wall’ — requires users to ‘agree’ or ‘accept’ the setting of storage and access technologies before they can access an online service’s content. There are different types of these models. Whether they result in valid consent depends on what model the online service uses and the specific choices it makes about the implementation. One example is a model that requires the user to ‘agree’ to the tracking, otherwise they cannot access the service at all. This is known as the ‘take it or leave it’ approach. In most cases, the ‘take it or leave it’ approach does not comply with the requirement for consent to be freely given. This is because organisations must provide a genuine free choice. They must not bundle consent up as a condition of the service unless it is necessary for that service. A new model is emerging which gives people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service. This type of access mechanism is typically known as ‘consent or pay’, or ‘pay or okay’. The issues that ‘consent or pay’ touches on are complex. The ICO says that it is producing specific guidance on this which is due in early 2025.
The ICO’s consultation about the draft updated guidance ends on 14 March 2025. There is also an impact assessment.
