Guidance on the use of storage and access technologies
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
We are consulting on the DUA updates to this guidance - only please give us your views.
The previous version of this guidance is available as a PDF here. We will withdraw this when the updated guidance is finalised after the consultation.
Click to toggle details
Latest updates - last updated 07 July 2025
07 July 2025
- We have updated this draft guidance to reflect changes to PECR following the Data (Use and Access) Act.
- We have added a new chapter “what are the exceptions?” to explain the exceptions to the prohibition on storing or accessing information on people’s devices.
- There are other minor changes throughout the guidance to reflect the updated rules.
- Outside of the indicated updates, this guidance is still in draft form as per the December 2024 update. We will finalise it following the second consultation on the new chapter.
20 December 2024 - this guidance was published
Contents
About this guidance
- What’s new?
- Why have you produced this guidance?
- Who is it for?
- What does it cover?
- What doesn’t it cover?
- How should we use this guidance?
What are storage and access technologies?
- What technologies does PECR apply to?
- Cwcis
- Tracking pixels
- Link decoration and navigational tracking
- Device fingerprinting
- Web storage
- Scripts or tags
- Using storage and access technologies in different contexts
What are the PECR rules?
- What does PECR say about storage and access technologies?
- Who are subscribers and users?
- What is terminal equipment?
- What does ‘clear and comprehensive information’ mean?
- What does 'consent' mean?
- Do the rules only apply to websites and web browsers?
- Do the rules apply to our internal network?
- Do the rules apply to public authorities?
- Do the rules apply to services based outside the UK?
- What if children are likely to access our online service?
What are the exceptions?
- Do all storage and access technologies require consent?
- What is the ‘communication’ exception?
- What is the ‘strictly necessary’ exception?
- What is the ‘statistical purposes’ exception?
- What is the ‘appearance’ exception?
- What is the ‘emergency assistance’ exception?
How do the PECR rules relate to the UK GDPR?
- What is the relationship between PECR and the UK GDPR?
- What does the UK GDPR say about storage and access technologies?
- How does PECR consent fit with the lawful basis requirements of the UK GDPR?
- What does PECR say about subsequent processing?
How do we comply with the PECR rules?
- Who is responsible for compliance?
- How do we consider PECR when designing a new online service?
- What do we need to consider if we use someone else’s technologies on our online service?
How do we tell people about the storage and access technologies we use?
- How do we tell people about storage and access technologies set on websites that we link to?
- Can we pre-enable any non-exempt storage and access technologies?
- How long can we store or access information for?
- What is an audit and how can we do one?
How do we manage consent in practice?
- When do we need to get consent?
- Who do we need consent from?
- How do we request consent?
- Can we use pop-ups and similar techniques?
- Our expectations for consent mechanisms
- Can we rely on settings-led consent?
- Can we rely on feature-led consent?
- Can we rely on browser settings and other control mechanisms for consent?
- Can we use ‘terms and conditions’ to gain consent?
- Can we bundle consent requests?
- How often do we need to request consent?
- What if our use of storage and access technologies changes?
- How do we keep records of user preferences?
- What if a user withdraws their consent?
How do the rules apply to online advertising?
- Do we need consent for tracking and profiling for online advertising?
- Does advertising measurement require consent?
- What types of online advertising can we use?
- Can we use ‘cookie walls’ or ‘consent or pay’ models?