How do we comply with the PECR rules?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
At a glance
- You must consider storage or access technologies as part of the design and implementation of your service and business practices.
- You must have appropriate arrangements in place with any third parties you are using to provide your service.
- In general, you must provide clear and comprehensive information about the storage and access technologies you use.
- PECR has some exceptions that mean you don’t have to provide this in certain cases. But if your storage and access involves processing personal data, you must provide it anyway.
- You must provide clear and comprehensive information about the non-exempt storage and access technologies you use on your online service.
- You must explain your storage and access technologies in a way that anyone visiting your service can understand.
- You must not pre-enable non-exempt storage and access technologies.
- There is no valid reason to pre-enable non-exempt storage and access technologies.
- PECR does not specify how long you can use any storage and access technologies for. You should consider the appropriate duration in relation to the circumstances of your online service and for the purpose for which you want to use the technology.
- You should undertake regular reviews of your online service, as well as any storage and access technologies it includes.
In detail
- Who is responsible for compliance?
- How do we consider PECR when designing a new online service?
- What do we need to consider if we use someone else’s technologies on our online service?
Who is responsible for compliance?
PECR says that ‘a person’ must not store, or gain access to information stored, on a subscriber's or user’s equipment, unless clear and comprehensive information is provided and consent is obtained.
In most cases, this means that as the service provider, you have the primary responsibility for compliance with PECR. For example, you are the person that makes decisions about:
- what the service is;
- what functions the service will have; and
- what storage and access technologies to use (and for what purposes), including whether your service incorporates third-party features or if you enable third-party storage and access technologies.
How do we consider PECR when designing a new online service?
If you are planning a new online service, you must put appropriate technical and organisational measures in place to implement data protection principles and safeguard individual rights, from the design stage right through the lifecycle of your service.
Under PECR, you must consider storage or access technologies as part of the design and implementation of your service and business practices. This includes:
- what storage and access technologies you want to use;
- which ones meet an exception (and why); and
- which ones require consent.
If you use third parties in the provision of your service, you must have appropriate arrangements in place. For example, if you plan to share any information with them or will have their features embedded in your website or service.
Following a data protection by design approach is particularly important if you intend to provide your service via a mobile app. This is because:
- mobile devices such as smartphones and tablets are likely to have direct access to different sensors and data. For example, the microphone, camera and GPS receiver or wide-ranging information like the user’s email accounts and contacts;
- users are likely to have a range of apps downloaded on their device for many different functions, which can involve sharing personal data (including sensitive data). For example, medical or fitness apps, social media apps and banking;
- app developers often make use of third-party SDKs for different purposes. These can introduce new and complex flows of information from the user’s device when using the app, including use by third parties, which may not be obvious from the user interface; and
- mobile devices often have small screens, typically with touch-based interfaces. This can make it more challenging for apps to effectively communicate privacy information with app users (and obtain consent where required).
Similar considerations apply to connected IoT devices.
Further reading — ICO guidance
What do we need to consider if we use someone else’s technologies on our online service?
Other organisations provide a range of storage and access technologies. Your organisation might decide to deploy these on your service rather than trying to develop your own to, for example:
- provide a specific element, function or feature to your service (eg streaming content);
- secure your service and protect your users (eg security and authentication);
- help you generate revenue (eg through advertising technology); or
- enable your users to interact with other services or platforms (eg social media).
As the online service provider, it is your responsibility to understand the technologies you intend to use and ensure you comply with PECR.
Where your use of these technologies involves the processing of personal data, you must also consider the UK GDPR. For example by:
- being clear about which other organisations may be involved in the processing;
- allocating appropriate roles and responsibilities between you and these organisations (eg controllers, processors or joint controllers);
- identifying and mitigate risks to people’s rights and freedoms; and
- ensuring that mechanisms are in place to facilitate individual rights between all parties involved and appropriate actions are taken (eg informing another organisation relying on consent you obtained from a user that they have since withdrawn that consent).
Depending on the circumstances, these other organisations may have their own responsibilities under the UK GDPR. Our data sharing code contains further information on their responsibilities.