About this guidance
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
What's new
July 2025 update:
- We have updated this draft guidance to reflect changes to PECR following the Data (Use and Access) Act.
- We have added a new chapter “what are the exceptions?” to explain the exceptions to the prohibition on storing or accessing information on people’s devices.
- There are other minor changes throughout the guidance to reflect the updated rules.
- Outside of the indicated updates, this guidance is still in draft form as per the December 2024 update. We will finalise it following the second consultation on the new chapter.
Below we outline the changes at chapter level so past readers of the detailed cookies guidance can navigate the changes.
What are storage and access technologies?
This is a pre-existing chapter with new content to explain other storage and access technologies covered by PECR in more detail, alongside cookies.
What are the PECR rules?
This is a pre-existing chapter with some changes to the content, including added detail and new examples. This chapter now includes some sub-sections that were previously contained elsewhere in the guidance.
How do the PECR rules relate to the UK GDPR?
This is a pre-existing chapter with minor changes to the content.
What are the exceptions?
This is a new chapter to explain the five exceptions to the prohibition on storing or accessing information on people’s devices.
How do we comply with the PECR rules?
This is a pre-existing chapter which has been split into multiple chapters. This chapter includes refreshed examples and minor changes to the text of existing sub-sections, including some new policy lines.
How do we manage consent in practice?
This is a new chapter with some content from the previous ‘How do we comply with the PECR rules?’ chapter. It also includes new content to reflect our expectations for requesting consent, with examples of good and bad practice consent mechanisms.
How do the rules apply to online advertising?
This is a new chapter with mostly new content to provide clarity on how the rules apply to online advertising.
What happens if we don’t comply?
This is a pre-existing chapter with changes to reflect the changing PECR enforcement regime.
Glossary
This is a new resource.
December 2024 update:
- This guidance is a significant update to the detailed cookies guidance. It provides added clarity on our expectations for using other storage and access technologies as well as cookies.
- We have rewritten the guidance using ‘must’, ‘should’, or ‘could’ language to provide regulatory clarity to readers.
- The guidance reflects recent case law and our positions on key topics, including on our expectations for online advertising.
Why have you produced this guidance?
This guidance explains how the Privacy and Electronic Communications Regulations (as amended) (PECR), and where relevant data protection law, apply when you use technologies that store information, or access information stored, on someone’s device (eg a computer or mobile phone).
Read it to understand the law and our recommendations for good practice.
Who is it for?
This guidance is aimed at providers of online services, including web or app developers, who need a deeper understanding of how PECR, and where relevant data protection law, apply to the use of storage and access technologies.
What does it cover?
The technologies PECR applies to include (but is not limited to):
- cookies;
- tracking pixels;
- link decoration and navigational tracking;
- local storage;
- device fingerprinting; and
- scripts and tags.
The guidance also covers the UK GDPR, where the use of these technologies involves processing personal data.
What doesn’t it cover?
Other areas of PECR outside of regulation 6, except where relevant to the use of storage and access technologies.
Wider compliance obligations with the Data Protection Act (DPA) and UK GDPR when using storage and access technologies, except for where they are relevant to PECR requirements.
How should we use this guidance?
To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.
Legislative or legal requirements
Must refers to:
- legislative requirements within the ICO’s remit; or
- established case law (for the laws that we regulate) that is binding.
Good practice
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there is a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply.
This approach only applies where indicated in our guidance. We will update other guidance in due course.