What are the exceptions?

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Contents

At a glance

There are five exceptions to the prohibition on storing or accessing information on people’s devices.
The exceptions only apply if your use of storage and access technologies aligns with the purposes and requirements of each one. If your usage go beyond these, you must get consent.
The ‘communication’ exception only applies when the sole purpose of the storage or access is for the transmission of a communication.
The ‘strictly necessary’ exception applies when the purpose of the storage or access is essential to provide the service the subscriber or user requests.
The ‘statistical purposes’ exception applies when the sole purpose of the storage or access is so you can collect information for statistical purposes about the use of your service.
The ‘appearance’ exception applies when the purpose of the storage or access is to adapt the way your service appears or functions in line with the subscriber’s or user’s preference.
The ‘emergency assistance’ exception applies when the sole purpose of the storage or access is to identify the geographical position of the subscriber’s or user’s device to provide emergency assistance.

In detail

Do all storage and access technologies require consent?
What is the ‘communication’ exception?
What is the ‘strictly necessary’ exception?
What is the ‘statistical purposes’ exception?
What is the ‘appearance’ exception?
What is the ‘emergency assistance’ exception?

Do all storage and access technologies require consent?

No. You can store or access information in five circumstances without the subscriber’s or user’s consent. These exceptions apply when storage or access is:

for the sole purpose of the transmission of a communication. This is the ‘communication’ exception;
strictly necessary to provide the service the subscriber or user requests. This is the ‘strictly necessary’ exception;
for the sole purpose of collecting statistical information about visitors to your service, with a view to improving it. This is the ‘statistical purposes’ exception (also known as the ‘analytics’ exception);
for the sole purpose of improving or adapting the appearance or functionality of the service to the subscriber’s or user’s preference. This is the ‘appearance’ exception; or
for the sole purpose of identifying the location of a subscriber or user who requires emergency assistance. This is the ‘emergency assistance’ exception.

An exception means that the purpose you want to store or access is exempt from the prohibition. With some of the exceptions, you must give subscribers or users:

clear and comprehensive information about your use of the technology; and
an easy way to object to this use.

If you don’t, you won’t be using those exceptions correctly. This means you must not use the technology without the subscriber’s or user’s consent.

The following sections explain each exception in detail, along with the specific requirements for each one. When assessing whether any of the exceptions apply, you must consider their specific requirements. This is because exceptions are narrow in scope and won’t apply in all cases.

For the specific changes that DUAA introduces, see Schedule 12. This inserts new Schedule A1 into PECR.

Further reading

How should we obtain, record and manage consent?

What is the ‘communication’ exception?

The communication exception is about the transmission of a communication over an electronic communications network.

Three elements are necessary for a communication to take place over a network between two parties. These are the ability to:

route information over a network by identifying the communication ‘endpoints’ — devices that accept communications across that network;
exchange data items in their intended order; and
detect transmission errors or data loss.

The communication exception covers the use of storage and access technologies that fulfil one (or more) of these properties, but only for the sole purpose of the transmission.

For this exception to apply, you must ensure that the transmission of the communication is impossible without the use of the particular storage and access technology.

Common examples include:

Activity	Likely to meet the communication exception?
Session cookies for load balancing purposes, with the sole purpose of identifying which server in the pool the communication will be directed to.	✔
Device fingerprinting techniques, solely for network management purposes.	✔

What is the ‘strictly necessary’ exception?

The ‘strictly necessary’ exception applies when the purpose of the storage or access is essential to provide the service the subscriber or user requests.

This means that without it, the service couldn’t be provided on a technical level.

Importantly, the exception only applies to ‘information society services’ (ISS) (ie a service delivered over the internet, such as a website or an app). If you are running an online service, it is likely that the service is an ISS.

The exception also covers the use of storage and access technologies to comply with any other legislation that applies to you (eg the security requirements of data protection law). However, this exception does not apply if there are ways that you can comply with this other legislation without the use of storage and access technologies.

You should assess ‘strictly necessary’ from the point of view of the subscriber or user, not your own. For example, you might view the use of advertising cookies as ‘strictly necessary’ because they bring in revenue that funds your service. However, they are not ‘strictly necessary’ from the user’s perspective.

What activities are likely to meet this exception?

PECR gives some non-exhaustive examples of activities that meet this exception:

ensuring the security of terminal equipment;
preventing or detecting fraud;
preventing or detecting technical faults;
authenticating the subscriber or user; and
recording information or selections the user makes on an online service.

Some of these examples may apply to you, depending on how your online service functions.

The table below includes non-exhaustive examples of activities that are likely to meet the exception, and those that won’t.

Activity	Likely to meet the strictly necessary exception?
Remembering the goods a user wishes to buy when they go to the online checkout or add goods to their shopping basket.	✔
Complying with the security requirements of data protection law for an activity the user has requested (eg, in connection with online banking services).	✔
Identifying a user once they have logged in to an online service for the duration of their visit to the site (eg to prevent a new login prompt on an online banking service each time the user loads a new page).	✔
Using link decoration to authenticate a user.	✔
Session cookies used to store a user's preference can rely on the strictly necessary exception, provided they are not linked to a persistent identifier. The exception may in some cases also apply to persistent cookies, but the user must be given sufficient information in a prominent location. For example, cookies used as part of a cookie consent mechanism, which remember the user's cookie preferences over a period of time (eg 90 days), can be exempt. Alternatively, the act of interacting with the consent mechanism can be sufficient for consent to be obtained for any cookies relating to that mechanism, provided the user is given clear and comprehensive information that a persistent cookie will be set on their device for the purpose of remembering their consent preference. However, the information accessed must be used solely for this purpose. Any secondary purposes mean the exception would not apply.	✔
Streaming content: The use of storage and access technologies to provide streaming content can be exempt in some circumstances. For example, if your service is an online content provider, then you can rely on the exception for purposes that relate to the technical provision of the content. This is because accessing the video or audio is part of the service the user has requested. However, the exception does not extend to other purposes, such as content personalisation or usage monitoring. If your service includes content hosted on these platforms (eg if you have posted a video on your organisation’s YouTube channel), you should: configure the embedded content not to set storage and access technologies the instant someone visits the page with it on, including for analytics purposes; and tell the user underneath the embed that if they choose to press ‘play’, storage and access technologies will be used (you should use a ‘privacy mode’ where available). This will not require consent, as the user has been informed and wants to access the content. When considering how to manage your use of embedded videos, you could: add a consent request into your existing mechanism; or use a 'just-in-time' approach to seek consent on particular pages where the videos are included. Alternatively, you could consider using external links instead of embedded videos. Adding a consent request for embedded videos into your consent mechanism may seem like the simplest option. However, if you do this, you must provide clear and comprehensive information to your users about what this means for them. For example, by saying that: if they enable the storage and access technologies, then this may result in the video sharing platform collecting information about their viewing (eg for analytics and advertising purposes); and if they don’t enable the storage and access technologies, then they will see external links to the videos instead. You should configure your use of these external services in the most privacy-friendly way possible. What this involves depends on the controls and functions available on your service.	✔ (in some circumstances).
Social media plugins and tracking technologies If you decide to use social media plugins or other tracking technologies on your service, you must be aware of what these technologies do and how they work. Where a user of your online service is also logged in to a social media platform, and your service includes plugins and other tools provided by that platform, they might expect to be able to use these plugins as part of their interaction with the social network. In such cases, the storage and access of information by these plugins can be strictly necessary for the functionality the user has requested on your service. However, this does not apply to non-logged in users of that social media platform — whether these are users who have logged out, or users that are not members of that network. So, you must get consent for any use of social plugins, unless you configure them to only store or access information on devices that logged-in members of the social media platform use. Where a social media plugin, script, cookie or other technology tracks users, the exception does not apply. Therefore, you must obtain consent for the use of social media tracking technologies you include in your online service. This applies whether or not your users are members of the social network in question.	☓
Cross-device tracking You must get consent for any cross-device tracking you want to do. The use of storage and access technologies to link a particular user across sites and devices is not strictly necessary to provide your service.	☓
Online advertising If your service uses storage or access technologies for the purposes of online advertising, you must get consent. You cannot rely on the strictly necessary exception. Online advertising purposes are not exempt from PECR's consent requirements and never have been. This includes any advertising-related purpose, including (but not limited to) things such as frequency capping, ad affiliation, ad measurement and performance, click fraud detection, market research, product improvement or debugging. You must also get consent if you are using device fingerprinting techniques for online advertising purposes. Your users are often unaware that this processing is taking place and that it involves creating profiles of users across different services over time to serve targeted advertising.	☓

Also, if you say your use of a particular technology is strictly necessary because of the purpose (eg security), you must ensure that you only use it for this purpose. If you use it for any other purpose as well, the exception does not apply and you must then get consent.

Further reading - ICO guidance

Age appropriate design - see ‘What do you mean by an information society service?’

What is the ‘statistical purposes’ exception?

The statistical purposes exception means you don’t have to get consent for storing or accessing information on a device if:

“the sole purpose of the storage or access is to enable the person -

(i) to collect information for statistical purposes about how the service is used with a view to making improvements to the service, or

(ii) to collect information for statistical purposes about how a website by means of which the service is provided is used with a view to making improvements to the website.”

This exception applies when:

you are an ISS provider; and
the sole purpose of the storage and access technology is collecting information for statistical purposes about the use of your service.

You can share this information with a third party, provided they are only using it to improve your website or service.

As part of relying on this exception, you must provide the user or subscriber with clear and comprehensive information about the purpose, and a ‘simple and free’ means to object.

The statistical purposes exception does not apply to collecting or monitoring information automatically emitted by terminal equipment, such as wifi probe requests.

What activities are likely to meet the exception?

The exception is about:

the creation of aggregate statistical information about visitors to your service; and
your use of this information for the purpose of improving it.

The exception is essentially for analytics purposes. However, it is not a broad exception that covers all types of analytics technologies or ways you can use them. It is about how your service is used, not about who uses it. It is not for identifying, tracking or monitoring people or groups of people who use your service. It also doesn’t apply to things like online advertising.

To rely on it, you must ensure your analytics involve statistical information. For example, things like:

how many people access your service;
what they access; and
how long they access it for.

‘Improving the service’ includes things like understanding user journeys through your website, and which areas of your website your visitors spend most or least time on. For example, to decide how to organise your online service, what content to produce more or less of, or to improve your users’ experience.

Statistical purposes is not defined in PECR itself, but in practice it can be taken to mean the same as defined in the UK GDPR, for information, not just personal data:

“References in this Regulation to the processing of personal data for statistical purposes are references to processing for statistical surveys or for the production of statistical results where—

(a) the information that results from the processing is aggregate data that is not personal data, and

(b) the controller does not use the personal data processed, or the information that results from the processing, in support of measures or decisions with respect to a particular data subject to whom the personal data relates.”

It’s likely this processing involves collecting individual-level information for this purpose. This may be personal data (eg where it relates to a specific visitor of the service). If that is the case, you must also comply with the UK GDPR.

You must also then aggregate this information. You must ensure that you do not store any personal data for any longer than is necessary for your aggregation process.

If your processing goes beyond this, the exception won’t apply and you must get consent. For example, if you:

make inferences or take decisions about people (or categories of people) based on information like their IP address or category on your service; or
retain the individual-level information (after aggregating it).

The statistical purposes exception enables you to understand how visitors interact with your service. Provided your use of storage and access technologies for this purpose is in line with the exception, you don’t need to get consent under PECR.

To rely on the exception, you must only use the storage and access technologies for the purpose of improving your service or website, and not for any other purposes. This is the case whether you store or access information for this purpose, or whether you use a third party, such as an analytics provider to do this for you. You must ensure that the information resulting from the storage or access is aggregate statistical information that you cannot use to identify people.

The table below includes non-exhaustive examples of activities that are likely to meet the exception, and those that won’t.

Activity – when using aggregate statistical information	Likely to meet the statistical purposes exception?
Total visits to your website, page-by-page (eg for traffic analysis to understand user journeys).	✔
User interactions with pages on your website (eg average scroll depth or the total number of hits on sections of a page).	✔
Information to understand how your users access your service (eg device types and browser or operating system versions).	✔
How your users reached your service. For example, via an email campaign (ie the referrer URL), search results or anything else.	✔
A/B testing - separating users into two groups to compare user interactions with two different versions of your website or particular sections of it.	✔
Coarse geolocation information of website users (eg at city or region level) that does not allow people to be identified.	✔
Information on page loading speeds, or exit pages (eg to detect browsing issues).	✔
Using web analytics tools to monitor or track people. The statistical purposes exception does not allow you to monitor or track individual visitors to your service. You must obtain consent for: logs or recordings of individual visitors to your website and the actions they took (if not obtained for the purposes of security); information on whether users viewed or clicked on an advert displayed to them, for the purpose of measuring the performance of the advert; connecting a visitor ID to their site activity (eg where users purchased a product on your website (‘conversions’) to be shared with advertising partners); tracking or profiling individual visitors or categories of visitors (eg based on their IP address or the pages they visited on your website); or monitoring the browsing of website visitors across different services and applications	☓
Online advertising The statistical purposes exception does not apply to purposes related to online advertising. For any use of storage and access technologies for these purposes, you must get consent.	☓

Neither PECR nor the UK GDPR specifies any timeframes for aggregating your information. You should therefore determine the appropriate timeframe for your service based on its particular circumstances, including your visitor numbers. You could consider daily aggregation to be appropriate for your service. A more frequent aggregation (such as hourly) of some data points may be appropriate in some cases (eg if you have a large number of visitors).

You must only store individual-level information for as long as you need it, regardless of your aggregation frequency.

You must implement appropriate technical and organisational measures to ensure that your aggregated datasets don’t allow people to be identified.

Where analytics involves personal data, you must consider the UK GDPR requirement for ‘data protection by design and default’. This includes when you are considering making use of a third-party provider.

Further reading – ICO guidance

Can we use a third-party analytics service?

Yes. The exception recognises that you can:

develop your own analytics solution; or
use a third-party analytics provider.

Paragraph 5(1)(c) of Schedule A1 states:

“Any information that the storage or access enables the person to collect is not shared with any other person except for the purpose of enabling that other person to assist with making improvements to the service or website.”

This means, for the statistical purposes exception to apply, you must ensure that the third party only assists you in achieving your purpose. Your provider can only:

act on your behalf; and
use the information to help you improve your service.

Whether you choose to use a third-party analytics provider is a decision for you to take, based on your circumstances.

If you do use a third-party provider, you must:

tell your users that you do so; and
explain what the third party does with the information it collects.

Where you are using a third party analytics provider, you must also consider your UK GDPR obligations.

This means that you must:

clarify the roles and responsibilities between you and your analytics provider. (To rely on the exception, your third party provider must be a processor, not a joint controller);
specify what the provider will do on your behalf;
ensure the provider only uses the information to improve your service and does not link it with other information from any other information it works with; and
consider your obligations if the processing involves international transfers of personal data.
obtain consent, if you use a third party service for other purposes. For example to link a user’s activity and purchase journey on your website to an online advert they may have previously clicked on.

Example

A website operator posts articles on different topics. The operator wants to understand which of its articles visitors read deeply, and which ones they don’t have the same level of interest in. It wants to use this to inform what type of content to produce in future.

The operator decides to use a third-party analytics service for this purpose. The analytics service provides JavaScript that the operator adds to relevant pages. This measures scroll depth, time spent on each page, and the bounce rate.

The operator accesses this information by logging into its account at the analytics service. They can see the statistics about the average time visitors spend on particular pages and how much they read.

The operator can rely on the statistical purposes exception in these circumstances.

Example

The same website operator now wants to understand the characteristics of those visitors that read articles most deeply. Working with the analytics service, the operator chooses additional parameters to incorporate into the analytics technology on its website. These parameters process additional information in order to segment visitors by demographic, including age group and gender.

The operator intends to use this information to determine what content to promote to these particular visitors in future.

For this storage and access, the operator cannot rely on the statistical purposes exception. This is because what it wants to do goes beyond the exception’s scope by including profiling to target content.

Further reading – ICO guidance

What is the ‘appearance’ exception?

The ‘appearance’ exception applies when the sole purpose of the storage and access is so you can either:

adapt the way your service appears or functions in line with the subscriber’s or user’s preference; or
otherwise enhance the appearance or functionality of the website when displayed on, or accessed by, the subscriber’s or user’s device.

To rely on this exception, you must also provide the subscriber or user with clear and comprehensive information about the purpose, and a ‘simple and free’ means to object.

This exception is not about adapting the content to display to a user on your service based on known or inferred interests or behaviours about them. For example, using their profile or previous browsing history to decide what content to promote at the top of the webpage, or to choose which advert to serve.

These purposes do not meet the exception and you must obtain consent.

You must also ensure that you limit any processing of personal data related to the use of storage and access technologies for purposes under this exception to what is necessary for this purpose.

The table below includes non-exhaustive examples of activities that are likely to meet the exception, and those that won’t.

Activity	Likely to meet the appearance exception?
Identifying the dimensions of a subscriber’s or user’s monitor or screen to enable reconfiguration of a webpage to adapt to the screen (‘responsive design’). For example, to display a simplified navigation and layout to a user visiting your website from a mobile device.	✔
Remembering the language the subscriber or user selects (eg on a multilingual website).	✔
The use of an external font library to display your chosen font on the service. You should ensure the font provider uses this information for the purposes of serving the font that you’ve selected and not for other purposes (eg advertising and profiling). Be aware that external font libraries may collect information about your users, such as their IP address. Where this occurs, you must explain this to your users and give them a simple and free way to object. You could consider self-hosting fonts by downloading them from an external service and uploading to them your server. Detecting preferences indicated on the subscriber’s or user’s operating system, such as themes and colour schemes, and displaying the service using a similar theme, if available. For example, a user might turn on ‘dark mode’ in their mobile device settings. A video player app can use this preference to display its app features in its own dark mode setting. The user can easily switch away from dark mode within the app.	✔
Using device information to optimise user experience on your service (eg device memory information to tailor the features to display to that user). You must not use this information for other purposes beyond what is required to improve the appearance or functionality of the service (eg device fingerprinting techniques to identify a user).	✔
Changing the content you display to a user on your service based on known or inferred interests or behaviours about them. For example, using their profile or previous browsing history to decide what content to promote at the top of the webpage, or to choose which advert to serve. Any purposes relating to decisions about the content on your service do not meet this exception and you must get consent.	☓
Online advertising The appearance exception does not apply to purposes related to online advertising. For any use of storage and access technologies for these purposes, you must get consent.	☓

What is the ‘emergency assistance’ exception?

This exception applies where the sole purpose of the storage or access is to identify the geographical position of the subscriber’s or user’s device to provide emergency assistance.

It’s similar to the emergency calls exception in regulation 16 of PECR, which allows the restrictions on the processing of location data to be removed when the user makes an emergency call.

The difference is that the information stored or accessed isn’t limited to location data as defined by PECR, nor is it limited to emergency calls. Specifically, it allows you to use information about someone’s location for emergency assistance purposes. This includes using GPS-based location information from smartphones, tablets, sat-navs or other devices. This information isn’t covered by PECR definition of location data, as they are not collected by a network or service.

This means that the emergency assistance exception allows you to process more information for the purposes of providing this assistance to the subscriber or user.

For the exception to apply, the subscriber or user has to have made a communication seeking emergency assistance first.

In practice, this exception only applies in limited circumstances, including:

motor vehicle ‘eCall’ functionalities that automatically contact emergency services on behalf of the subscriber or user, as the subscriber or user would have enabled this feature in advance of the incident; and
personal safety alarms that use GPS features to send location information once the subscriber or user wearing them presses an emergency button.

Further reading

Guide to PECR – Location data