Skip to main content
Hafan

Fact vs fiction: ICO debunks myths on storage and access technologies

  • Date 11 September 2025
  • Type News

Our online tracking strategy published in January of this year outlined our approach to giving people more meaningful control over how they are tracked online.  

We issued a significant update regarding this work in July where we: 

  • Launched a consultation on our updated guidance on storage and access technologies;  
  • Outlined how our work helps to provide certainty to businesses and supports responsible innovation; and  
  • Opened a call for views on a new enforcement approach that could unlock privacy-preserving alternatives to current adtech business models. 

These efforts are all aimed at bringing greater clarity to businesses operating in this complex landscape, ensuring they can innovate responsibly, and respect people’s rights.  

Still, we recognise there remain some common misunderstandings about how the law applies to storage and access technologies, like cookies or tracking pixels – and we’re committed to addressing them. 

Myth 1: The rules only apply to personal data 

Not true. While the UK General Data Protection Regulation (GDPR) only applies to the processing of personal data, the Privacy and Electronic Communications Regulations (PECR) is wider. The rules on storage and access apply to any ‘information’ – they’re not limited to personal data. 

In many cases stored and accessed information is also personal data - which is why the UK GDPR also applies to the processing.  

But ultimately, the PECR rules provide specific protection for the user’s device – and it doesn’t matter whether the information is personal data or not. 

Myth 2: The ICO has changed what ‘strictly necessary’ means 

Our position remains unchanged. We've been clear about what ‘strictly necessary’ means ever since our first guidance on PECR in 2003. We’ve always said that it means storage or access must be essential to provide the service the user requests, rather than something that might be just useful for the service provider.  

The DUAA adds further clarity about what this means by giving a list of example purposes that are ‘strictly necessary’ to provide a service. These include authentication, security, and preventing technical faults.  

‘Strictly necessary’ means storage or access must be essential to provide the service. It doesn’t apply to things that may be ‘useful’ or ‘convenient’ or that may be ‘required’ because of a preferred business model. 

Myth 3: ‘Strictly necessary’ should be judged from the service’s perspective 

The rules on storage and access technologies are about protecting people’s ‘private sphere’, which includes their devices.  

The strictly necessary exception is about what’s essential to deliver a service that the user requests. So, whether storage or access is ‘strictly necessary’ inherently depends on the user’s perspective – without it, the service they request can’t be provided.  

This is different to what a service provider might want to view as ‘strictly necessary’, for example, using storage and access technologies to generate revenue via online advertising. 

Interpreting the strictly necessary exemption in this way reflects the intent and wording of the legislation. It is also consistent with previous guidance issued both by the ICO and other data protection authorities (for example, the Article 29 Working Party in Opinion 04/2012 on Cookie Consent Exemption). 

Myth 4: The ICO is too focused on online advertising 

Online advertising is one of the most visible and widespread uses of storage and access technologies. It’s also a space where people can easily – and often unknowingly – lose control of their personal data.  

This can sometimes lead to harm, including unwanted profiling, discriminatory targeting, or exposure to misleading content. In our Online Tracking Strategy, we committed to giving people meaningful choice and control over how they are tracked online. 

Giving users meaningful control is especially important here because many advertising solutions rely on the granular tracking of their online activity.

For example, information about what users do online – including the sites they visit and the apps they use – might be used to build detailed profiles that influence decisions about them and target them with advertising.  

Myth 5: The ICO hasn’t completed an impact assessment 

We have. A draft of our impact assessment for the storage and access guidance is available on our website and we will publish a final version after incorporating feedback from the consultation that we ran from December 2024 – March 2025. 

Impact assessments help us understand the risks and benefits of our approach, ensuring our guidance is proportionate and evidence based.  

Myth 6: We can rely on legitimate interests for non-exempt purposes 

Not true. Where PECR requires consent and you are processing personal data, you can’t rely on legitimate interests under the UK GDPR. So, for any non-exempt storage and access technology, you must get consent.  

Legitimate interests may be appropriate in cases where PECR doesn’t require you to get someone’s consent. But you must still go through the three-part test.  

Myth 7: We can use legitimate interests to process data we obtained on the basis of consent 

Not true. Where PECR requires you to get consent for the use of storage and access technologies, you can’t then flip to using legitimate interest for subsequent processing.  

Doing so would remove the control that consent is meant to give to the user. It would invalidate that consent. It would also make the subsequent processing unfair, even if the user may still have a right to object.  

As we’ve said for a long time: if PECR requires you to get consent, then that consent must apply to whatever processing you want to do with that data.  

Myth 8: PECR is only about cookies and the ICO is expanding the definition 

Not true. The rules apply to any technology that stores or accesses information on someone’s device. This obviously includes cookies, but it also includes other technologies, like device fingerprinting, where they involve storage or access. 

Previous versions of ICO guidance have centred on cookies as the most prevalent storage and access technology used by organisations. However, each iteration of our guidance has also made clear that the rules are applicable to wider technologies and tools. 

Changing the title of the guidance from ‘cookies’ to ‘storage and access technologies’ reflects changes in technologies and tools used by UK organisations we have observed. Our updated guidance has been drafted to mirror these new approaches and techniques. While we have increased the range of storage and access technologies highlighted in the guidance to provide clarity on frequently asked questions we receive, this has not in any way expanded the scope of the law.   

Myth 9: The ICO wants online services to stop using storage and access technologies for advertising 

Our role is to protect people’s privacy. We want storage and access technologies to be used in compliant ways that give people meaningful choice and control. 

Being fairer, more transparent and accountable to your users will increase trust and confidence in you and the services you provide. That benefits everyone. 

Our role is also to support innovation. Our call for views was an opportunity for new commercially viable advertising models that support innovation to improve privacy and boost economic growth.  

We want to see a fair and consistent online ecosystem where people have meaningful control over how organisations use their information. 

 

If your service uses storage and access technologies like cookies or tracking pixels, now is a good time to review your approach – particularly in the run-up to the DUAA changes coming into force. 

Make sure you’re transparent, get people’s consent where you need to, and respect their choices. Taking this approach will build trust with your users and help your organisation stay compliant with the law.