Key themes
2. Key themes
2.1. Storage and access technologies
We asked respondents whether the guidance should include additional use cases of storage and access technologies. Several respondents said the guidance would benefit from more examples showing how these technologies are applied in practice.
Table 3: Responses to the question: “Are there any other use cases of storage and access technologies that you think the finalis guidance should refer to?”
| Response | Count | % |
|---|---|---|
| Yes | 14 | 61% |
| No | 6 | 26% |
| Unsure/Don’t know | 3 | 13% |
| Total | 23 | 100% |
Source: ICO Smart Survey consultation, 23 responses
In particular, feedback from both the Smart Survey and several email responses asked us to provide a more developed example on tracking pixels. Respondents noted that, although the draft guidance mentioned tracking pixels, a more detailed illustration of how this specific technology works in an affiliate marketing context would help clarify how the rules apply and give organisations greater confidence in using them.
ICO response
We have added a new example to the guidance to illustrate how regulation 6 applies to the use of tracking pixels in an affiliate marketing context. This example shows how information stored on a user’s device is later accessed when a tracking pixel fires on an order confirmation page and how this engages regulation 6.
Remember the list of storage and access technologies in the guidance is not exhaustive and the examples we provide for each technology are illustrative. They are intended to support practical understanding, not to define every possible technology or use case that may fall within scope.
2.2. Strictly necessary
2.2.1. Overview
Feedback showed that many respondents agreed the guidance provides clarity on when the strictly necessary exception applies. However, some uncertainty remained around specific points, which we address below.
Table 4: Responses to the question: “How far do you agree that our guidance provides clarity on when the ‘strictly necessary’ exception can and cannot be used?”
| Response | Count | % |
|---|---|---|
| Strongly agree | 5 | 22% |
| Agree | 10 | 44% |
| Unsure/Don’t know | 3 | 13% |
| Disagree | 4 | 17% |
| Strongly disagree | 1 | 4% |
| Total | 23 | 100% |
Source: ICO Smart Survey consultation, 23 responses
2.2.2. User vs service ‘point of view’
A number of respondents, including several who submitted email responses, asked why the strictly necessary exception must be assessed from the user’s point of view.
ICO response
We have added further detail to the guidance to explain why organisations must interpret the strictly necessary exception from the user’s perspective. The rules on storage and access technologies are designed to protect people’s private sphere, which includes their devices. The strictly necessary exception applies only when the use of these technologies is essential to deliver a service that the user has actively requested, so organisations must make this assessment from the user’s point of view. If the storage or access is not essential for the service the user requests, it cannot be considered strictly necessary.
This interpretation reflects the intent and wording of the legislation and aligns with previous guidance issued by the ICO and other data protection bodies, including the Article 29 Working Party’s Opinion 04/2012 on Cookie Consent Exemption. 1
2.2.3. Cashback and rewards services
Several respondents asked whether cashback and rewards services’ use of storage and access technologies could fall within the strictly necessary exception.
ICO response
We have added an example to the guidance that illustrates an activity likely to meet the strictly necessary exception in the context of cashback and reward services. The guidance explains that this exception applies only when the storage or access is essential to deliver the service the user has actively requested.
Whether a cashback or rewards service can rely on the exception depends on how the service operates, including what storage and access technologies are set, by whom and in what circumstances, as well as the different ways users can engage with the other service.
The finalised guidance sets out the key factors that organisations should consider and includes the full example to support practical understanding.
2.2.4. Online advertising
Several respondents asked whether certain online advertising activities could fall under the strictly necessary exception. These activities included frequency capping, measurement and attribution and ad fraud prevention and detection.
ICO response
The strictly necessary exception does not apply to online advertising. Using storage or access technologies for advertising is not essential to provide a service to the user because the service can operate without any advertising. Online advertising is therefore not necessary to deliver the service the user has requested.
Since early 2025, we have been reviewing where the current regulation 6 consent requirements may prevent the development of privacy-preserving advertising. As part of this work, we are exploring whether certain low-risk online advertising activities could, in future, be delivered without consent under PECR. This work aims to support growth in the advertising sector and encourage innovation in new privacy-friendly advertising products and services, while protecting people’s rights and freedoms.
We are clear that some forms of online advertising will always require consent, particularly where they involve extensive profiling based on individuals’ online activity, habits or behaviour across different services and devices.
We will share our evidence base with government in late spring 2026, as it considers whether to use its new regulation 6A power to introduce any additional exceptions to the consent requirements. 2
2.3. PECR’s relationship with the UK GDPR
Respondents expressed mixed views on our explanation of how PECR relates to the UK GDPR. While most were comfortable with the overall explanation, some disagreed or felt unsure. These respondents asked for more clarity on situations where organisations rely on an exception under regulation 6, meaning consent is not required for the storage or access, but need to identify a lawful basis under the UK GDPR for subsequent processing of personal data.
ICO response
We have added an example to the guidance to clarify how an organisation can rely on a lawful basis other than consent for subsequent processing of personal data when it relies on an exception under regulation 6 for its use of storage or access technologies.
In the example, an emergency service organisation relies on the emergency assistance exception to store and access information after receiving a communication indicating that a user needs urgent help. As it then processes location data, which is personal data, to determine the user’s location, it must identify an appropriate lawful basis under the UK GDPR. Given the circumstances, the organisation relies on the vital interests lawful basis.
Table 5: Responses to the question: “How far do you agree that our guidance provides clarity on how the PECR rules relate to the UK GDPR?”
| Response | Count | % |
|---|---|---|
| Strongly agree | 2 | 9% |
| Agree | 11 | 47% |
| Unsure/Don’t know | 2 | 9% |
| Disagree | 5 | 22% |
| Strongly disagree | 3 | 13% |
| Total | 23 | 100% |
Source: ICO Smart Survey consultation, 23 responses
2.4. Consent
2.4.1. Overview
Our Smart Survey asked whether the updated section on managing consent for storage and access technologies provided respondents with greater clarity on our expectations for obtaining and managing consent. As with similar questions throughout the consultations, more respondents agreed than disagreed. However, this question also received the highest number of ‘strongly disagree’ responses (six) across the two consultations.
This feedback shows that some respondents felt the guidance on obtaining and managing consent could be clearer. Below, we set out the key themes raised by those who disagreed and explain how we have addressed them in the finalised guidance.
Table 6: Responses to the question: “How far do you agree that our guidance outlines our expectations for managing consent in practice?”
| Response | Count | % |
|---|---|---|
| Strongly agree | 5 | 22% |
| Agree | 8 | 34% |
| Unsure/Don’t know | 2 | 9% |
| Disagree | 2 | 9% |
| Strongly disagree | 6 | 26% |
| Total | 23 | 100% |
Source: ICO Smart Survey consultation, 23 responses
2.4.2. Refreshing consent
Some respondents asked why the ICO recommends a six-month period for refreshing consent. Although most comments were neutral, respondents wanted to understand the rationale for this timeframe. They wanted to know whether it could be adjusted in certain circumstances, such as when an organisation updates their use of storage and access technologies.
ICO response
We have provided further rationale in the guidance for this good practice recommendation. We suggest six months as a reasonable and proportionate interval for requesting consent again, particularly where a user has previously declined consent. This strikes an appropriate balance between avoiding repeated consent requests and ensuring user choices remain up-to-date.
In developing this recommendation, we also considered approaches in other jurisdictions with similar laws, including in several EU Member States, where regulators advise a six-month period for similar reasons. 3 In addition, the European Commission’s Digital Omnibus proposal would incorporate this six-month interval into EU law. 4
Organisations can still seek fresh consent more frequently where appropriate or required. For example, organisations must seek fresh consent if their purposes or activities change from those originally presented to the user.
2.4.3. Withdrawal of consent
Several respondents asked for further clarification on the expectation that organisations must interpret withdrawal of consent as a request for erasure.
ICO response
We have retained the expectation that organisations must interpret withdrawal of consent as a request for erasure. This means that organisations must delete any personal information collected under that consent. Continuing to process personal data obtained under that consent or retaining it for other purposes after someone withdraws consent, undermines the user’s choice. Our existing ‘Right to erasure’ guidance sets out in more detail how organisations should meet this requirement.
2.4.4. Third-party control mechanisms for consent
Respondents asked whether third-party control mechanisms, such as Global Privacy Control (GPC) or Apple App Tracking Transparency (ATT), could be used to indicate consent.
ICO response
Our position remains unchanged. Organisations must not rely solely on browser settings or third-party control mechanisms to indicate consent.
2.4.5. Consent mechanism illustrations
Most respondents agreed (47%, 11 responses) that the new consent mechanism illustrations helped clarify our expectations for obtaining and managing consent. However, some respondents suggested minor improvements to make it easier to distinguish between good and bad practice.
ICO response
We have added a short explanatory section to make clear that the illustrations show examples of both good and bad practice practice. We also labelled them more clearly to aid understanding.
Table 7: Responses to the question: “How far do you agree that the new illustrations in the ‘our consent mechanisms’ section provides clarity on managing consent?”
| Response | Count | % |
|---|---|---|
| Strongly agree | 6 | 26% |
| Agree | 11 | 47% |
| Unsure/Don’t know | 2 | 9% |
| Disagree | 2 | 9% |
| Strongly disagree | 2 | 9% |
| Total | 23 | 100% |
Source: ICO Smart Survey consultation, 23 responses
2.5. Enforcement
Respondents noted that the enforcement section was shorter than in the previous iteration of the guidance and asked for greater clarity or additional detail.
ICO response
We are reviewing our approach to PECR enforcement because of the DUAA changes to our powers. We will update this section of the guidance once that review is complete.
2.6. Updates to the exceptions chapter following the DUAA
2.6.1. Overview
In July 2025, we launched a second consultation on the draft storage and technologies guidance. This consultation focused on the three new exceptions added to regulation 6 of PECR by the DUAA.
Our Citizen Space survey first asked whether the DUAA-related amendments provided clarity on the new exceptions. This question aimed to gauge respondents’ baseline confidence in, and agreement with, the new exceptions section of our guidance. As with the first consultation, more respondents agreed than disagreed, although none strongly agreed. While this was encouraging, the results showed that further refinement was needed in some areas.
Table 8: Responses to the question: “How far do you agree that the draft guidance’s new DUAA chapter provides clarity on the new exceptions?”
| Response | Count | % |
|---|---|---|
| Strongly agree | 0 | 0 |
| Agree | 10 | 55% |
| Unsure/Don’t know | 1 | 6% |
| Disagree | 5 | 28% |
| Strongly disagree | 2 | 11% |
| Total | 18 | 100% |
Source: ICO Citizen Space consultation, 18 responses
2.6.2. Statistical purposes
Most respondents agreed (55%, 10 responses) with our interpretation of the new statistical purposes exception. However, those who disagreed or felt unsure asked whether behavioural or engagement metrics, such as eye-tracking, page navigation, focus points or hesitation could fall within scope of the statistical purposes exception.
ICO response
Where organisations aggregate these metrics and use them solely to improve a service or understand website interaction patterns, the statistical purposes exception may apply. However, if organisations use this data to analyse or measure a user’s activity, they must obtain the user’s consent.
Behavioural and engagement metrics can involve the collection of individual-level information that may constitute personal data, such as information about a specific visitor. In these cases, organisations must also comply with the UK GDPR.
To rely on the statistical purposes exception, organisations must ensure that the data is aggregated and that any personal data is not retained for longer than necessary to complete the aggregation process.
We did not expand the list of examples to include technologies such as eye-tracking because these tools may capture information about identifiable users and therefore fall outside the scope of the exception. However, we have added bounce rates to the exceptions table, as this metric can fall within the exception when it is aggregated and used solely to understand overall service interaction patterns.
Table 9: Responses to the question: “Do you understand our interpretation of the new statistical purposes exception?”
| Response | Count | % |
|---|---|---|
| Strongly agree | 0 | 0% |
| Agree | 10 | 55% |
| Unsure/Don’t know | 2 | 11% |
| Disagree | 5 | 28% |
| Strongly disagree | 1 | 6% |
| Total | 18 | 100% |
Source: ICO Citizen Space consultation, 18 responses
2.6.3. Appearance
Most respondents agreed (66%, 12 responses) with our interpretation of the new appearance exception. Those who disagreed or felt unsure asked us to expand the list of examples to clarify which activities fall within this exception. Some respondents highlighted features such as remembering captions or other preferences that change how a service appears or functions for the user.
ICO response
We believe the guidance already reflects the types of activities that are likely to fall within the appearance exception. The examples illustrate situations where a service adjusts its presentation or functionality in line with a user’s expressed preferences. We considered the additional examples suggested by respondents but did not expand the list further, as the exception is purpose-specific rather than technology-specific and the existing examples provide sufficient clarity on when the exception is likely to apply.
Table 10: Responses to the question: “Do you understand our interpretation of the new appearance exception?”
| Response | Count | % |
|---|---|---|
| Strongly agree | 0 | 0% |
| Agree | 12 | 66% |
| Unsure/Don’t know | 2 | 11% |
| Disagree | 3 | 17% |
| Strongly disagree | 1 | 6% |
| Total | 18 | 100% |
Source: ICO Citizen Space consultation, 18 responses
2.6.4. Multi-purpose storage and access technologies
Several respondents asked questions whether consent is always required when a storage and access technology is used for more than one purpose. This question has become more prominent since the introduction of the statistical purposes and appearance exceptions. Respondents outlined scenarios where one purpose might fall under the strictly necessary exception, while another purpose might rely on a different exception, and they sought clarification on how the rules apply in these situations.
ICO response
We have added a new section to the guidance to clarify how regulation 6 applies when a storage or access technology is used for more than one purpose. The guidance explains that the exceptions are purpose-specific and that organisations must assess each purpose individually.
Where all purposes fall within the scope of the same exception, organisations do not need consent. However, the statistical purposes and appearance exceptions only apply when the storage or access is carried out for the sole purpose of that activity, so organisations cannot combine them with any non-exempt purposes.
If any purpose does not meet an exception, organisations must obtain consent for the use of that technology. They must also give users granular controls over non‑exempt purposes and ensure their consent mechanism works effectively in practice.
The guidance also explains that, although organisations may prefer to use one technology for multiple purposes, it may be more practical to use separate technologies to meet their PECR obligations.
2.6.5. Simple means of objecting
Most comments on the statistical purposes and appearance exceptions focused on what a simple means of objecting looks like in practice. Respondents asked how such a mechanism should work and whether it could be presented on the second layer of a layered interface.
ICO response
We have added a new section to the guidance to clarify what a simple means of objecting looks like in practice. The guidance explains that organisations may offer this functionality through their existing consent mechanism and we also illustrate this approach in the ‘Our expectations for consent mechanisms’ section of the guidance.
2.6.6. Emergency assistance
Most respondents agreed (66%, 12 responses) with our interpretation of the new emergency assistance exception. Those who felt unsure asked us to expand the list of examples to clarify which activities fall within scope, particularly for health-related incidents.
ICO response
We have added a new example to the guidance to illustrate how the emergency assistance exception may apply in practice. The example describes a smart watch with fall‑detection or pulse‑detection functionality that automatically contacts the emergency services when the user has enabled the feature and does not cancel the alert.
Table 11: Responses to the question: “Do you understand our interpretation of the new emergency assistance exception?”
| Response | Count | % |
|---|---|---|
| Strongly agree | 4 | 23% |
| Agree | 12 | 66% |
| Unsure/Don’t know | 2 | 11% |
| Disagree | 0 | 0% |
| Strongly disagree | 0 | 0% |
| Total | 18 | 100% |
Source: ICO Citizen Space consultation, 18 responses
1 Article 29 Data Protection Working Party, Opinion 04/2012 on Cookie Consent Exemption, 7 June 2012.
2 Privacy and Electronic Communications (EC Directive) Regulations 2003, Regulation 6A.
3 For example, the French Data Protection Authority (CNIL) recommends a six-month period in its FAQs on the storage and access rules (see question 21). The Irish DPA takes the same approach in its guidance (see pages eight and 11).
4 European Commission, Digital Omnibus Legislative Proposal. See proposed Article 88a(4)(c) of the EU GDPR. If adopted, these changes would likely amend both the EU GDPR and the ePrivacy Directive. They would not apply in the UK.