Guidance on the use of storage and access technologies
The previous version of this guidance is available as a PDF here. We will withdraw this when the updated guidance is finalised after the consultation.
Click to toggle details
Latest updates - last updated 20 December 2024
20 December 2024 - this guidance was published
Contents
What's new
About this guidance
Why have you produced this guidance?
What are storage and access technologies?
- What technologies does PECR apply to?
- Cwcis
- Tracking pixels
- Link decoration and navigational tracking
- Device fingerprinting
- Web Storage
- Scripts / tags
- Using storage and access technologies in different contexts
What are the rules?
- What does PECR say about storage and access technologies?
- Who are subscribers and users?
- What is terminal equipment?
- What does ‘clear and comprehensive information’ mean?
- What does 'consent' mean?
- Do all storage and access technologies require consent?
- What is the ‘communication’ exemption?
- What is the ‘strictly necessary’ exemption?
- When do the exemptions not apply?
- Do the rules only apply to websites and web browsers?
- Do the rules apply to our internal network?
- Do the rules apply to public authorities?
- Do the rules apply to services based outside the UK?
- What if children are likely to access our online service?
How do the PECR rules relate to the UK GDPR?
- What is the relationship between PECR and the UK GDPR?
- What does the UK GDPR say about storage and access technologies?
- How does PECR consent fit with the lawful basis requirements of the UK GDPR?
- What does PECR say about subsequent processing?
How do we comply with the rules?
- Who is responsible for compliance?
- How do we consider PECR when designing a new online service?
- What do we need to consider if we use someone else’s technologies on our online service?
- How do we tell people about the storage and access technologies we use?
- How do we tell people about storage and access technologies set on websites that we link to?
- Can we pre-enable any non-essential storage and access technologies?
- How long can we store or access information for?
- What is an audit and how can we do one?
How do we manage consent in practice?
- When do we need to get consent?
- Who do we need consent from?
- How do we request consent?
- Can we use pop-ups and similar techniques?
- Our expectations for consent mechanisms
- Can we rely on settings-led consent?
- Can we rely on feature-led consent?
- Can we rely on browser settings and other control mechanisms for consent?
- Can we use ‘terms and conditions’ to gain consent?
- Can we bundle consent requests?
- How often do we need to request consent?
- What if our use of storage and access technologies changes?
- How do we keep records of user preferences?
- What if a user withdraws their consent?
How do the rules apply to online advertising?
- Do we need consent for tracking and profiling for online advertising?
- Does ad measurement require consent?
- What types of online advertising can we use?
- Can we use ‘cookie walls’ or ‘consent or pay’ models?