What are the PECR rules?

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Contents

At a glance

You must tell users about any storage and access technologies you use and explain what they do. You must obtain prior consent to the UK GDPR standard for their use, unless an exception applies.
The rules cover any use of storage and access technologies. They are not limited to particular environments or software (eg traditional ‘desktop’ websites and web browsers).
The rules do not apply in the same way to intranets. However, wherever you collect personal data using storage and access technologies, including via an intranet, the requirements of data protection law still apply.
These rules apply to any organisation running an online service, including public authorities.
If you are a UK-based organisation but host your online service overseas, you must still comply with PECR.

In detail

What does PECR say about storage and access technologies?
Who are subscribers and users?
What is terminal equipment?
What does ‘clear and comprehensive’ mean?
What does ‘consent’ mean?
Do the rules only apply to websites and web browsers?
Do the rules apply to our internal network?
Do the rules apply to public authorities?
Do the rules apply to services based outside the UK?
What if children are likely to access our service?

What does PECR say about storage and access technologies?

Regulation 6 states:

“Subject to schedule A1, a person must not store information, or gain access to information stored, in the terminal equipment of a subscriber or user.”

Schedule A1 lists the exceptions to this rule, explained in the ‘What are the exceptions?’ section. This means that, unless an exception applies, if you use any storage and access technologies, you must:

tell the subscriber or user what the technologies are;
explain what they do; and
obtain prior consent for their use.

For the specific changes that DUAA introduces, see Schedule 12. This inserts new Schedule A1 into PECR.

Who are subscribers and users?

These rules apply to the ‘terminal equipment’ of the ‘subscriber or user’.

The ‘subscriber’ is the person named on the bill for the supply of the service. For example, the telephone line or internet connection.

The ‘user’ is the person actually using the device to access the service.

In many cases the subscriber and the user may be the same. For example, someone that uses their computer or mobile device to access an online service over the broadband connection they pay for.

However, this is not always the case. For example, if a family member visits that subscriber’s home and uses the internet connection to access a service from their own device, they are a user.

What is terminal equipment?

‘Terminal equipment’ means someone’s device. The term is broad, and includes:

desktop or mobile devices; and
other connected devices devices (eg smart TVs, wearables, connected vehicles and other ‘internet of things’ (IoT) devices).

What does ‘clear and comprehensive information’ mean?

For most uses of storage and access technologies, PECR says you must provide “clear and comprehensive information” about the purposes you want to use them for.

PECR does not define what ‘clear and comprehensive’ information means. However, in practice this refers to the UK GDPR’s transparency requirements, the right to be informed and the conditions for consent.

This means when you use storage and access technologies, you must provide the same kind of information to subscribers and users as you have to when you process their personal data. And in some cases, your use of the technologies will involve the processing of personal data anyway.

You must include the following information:

what storage and access technologies you plan to use;
the purposes you plan to use them for;
whether any third parties either store or access information in the user’s device, or receive this information; and
how long you intend to store or access information (eg the duration of any cookies you want to set).

These requirements apply to your use of any storage and access technologies, including those you incorporate from other organisations (eg online advertising networks or social media platforms).

Further reading - ICO guidance

The right to be informed

What does ‘consent’ mean?

Regulation 2(1) of PECR states that:

“ ‘consent’ by a user or subscriber corresponds to the data subject’s consent in the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018).”

This means that, for PECR, the UK GDPR definition of consent applies.

The UK GDPR defines consent in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

The UK GDPR also includes specific requirements for consent. It says that you must:

be able to demonstrate you have valid consent;
make your consent requests “clearly distinguishable from other matters” (ie you must not bundle them as part of terms and conditions, wherever possible);
put your consent requests in an intelligible and easily accessible form, using clear and plain language;
allow people to withdraw their consent at any time through your consent mechanism; and
make it as easy for people to withdraw consent as it is for them to give it.

For storage and access technologies in PECR, this means that you must:

ensure consent involves a clear and positive action from a subscriber or user. For example, continuing to use your website does not constitute valid consent, nor does the use of a pre-ticked box or equivalent;
clearly inform subscribers or users about what storage and access technologies you want to use, what they do and what purposes you want to use them for before they consent;
clearly and specifically name any third parties whose storage and access technologies you are asking subscribers or users to consent to. This includes when you are using storage and access technologies which may appear to be coming from the host domain, but are being used by a third party;
not use any storage or access technologies for non-exempt purposes before the subscriber or user has given consent;
enable subscribers or users to refuse the use of storage and access technologies for non-exempt purposes as easily as they can accept; and
provide users with controls over any use of storage and access technologies for non-exempt purposes.

Do the rules only apply to websites and web browsers?

No. The rules cover any use of storage and access technologies. This means they are not limited to particular environments or software (eg traditional ‘desktop’ websites and web browsers).

For example, mobile apps commonly use embedded software development kits (SDKs) or other frameworks. These can be used for a range of purposes, such as app analytics tracking or embedding functionality like logins or payment features. This involves storing information (or accessing information stored) on the device.

However you provide your online service (eg a website, a mobile app, or anything else), you are responsible for understanding the behaviour of any software components the service includes that may store information, or access information stored, on a user’s device. This is particularly important if your service incorporates someone else’s software component (eg third-party code).

The rules also apply when you collect or monitor information that terminal equipment automatically emits, such as wifi probe requests.

Do the rules apply to our internal network?

The rules do not apply in the same way to intranets. An intranet is unlikely to be a public electronic communications network, and therefore PECR do not apply in the same way. Similarly, PECR is unlikely to apply if you extend your private network to trusted third parties with access controls.

However, wherever you collect personal data using storage and access technologies, including via an intranet, the requirements of data protection law still apply.

Similarly, you must consider data protection requirements if you are using information from storage and access technologies for monitoring your workers, for example.

Further reading — ICO guidance

Employment practices and data protection: monitoring workers

Do the rules apply to public authorities?

Yes. These rules apply to any organisation running an online service, including public authorities.

Do the rules apply to services based outside the UK?

If you are a UK-based organisation but host your online service overseas, you must still comply with PECR. For example, if you use cloud services based in Europe or the USA.

PECR does not have specific rules about organisations who are based outside the UK and whose services are accessible in the UK. But, if those services process personal data then the UK GDPR may apply.

Online services with global availability won’t automatically have to comply with the UK GDPR just because people in the UK can access them. However, you must comply with the UK GDPR if you are processing data that:

relates to the offer of goods or services to people in the UK; or
monitors the behaviour of people in the UK.

If you don’t tell people about how you use storage and access technologies to process their personal data, your processing won’t be fair, lawful or transparent.

If you are based overseas but don’t offer goods or services in the UK or monitor the behaviour of people in the UK, then you could implement appropriate technical and organisational measures to demonstrate this. For example by:

making clear and accurate statements to this effect on the service (eg in the privacy information or similar);
not using any storage and access technologies to monitor UK user behaviour; or
preventing users from accessing your service (eg via IP address blocking).

However, implementing any of the above measures does not automatically mean that your organisation is out of scope of the UK GDPR. Rather, it depends on your organisation’s specific circumstances.

Example

An online news outlet based outside the UK, but accessible to people within the UK, may not be in scope of the UK GDPR, depending on its circumstances.

The outlet may carry news reports relating to the UK, but if this content is directed at people within the outlet’s own country or territory, rather than people in the UK, it is not in scope of the UK GDPR, even if those people can access the news reports online.

However, if the outlet intends to have a 'global' reach then it obviously means to offer its service to anyone, including people in the UK. In this instance, it must consider whether the UK GDPR’s territorial provisions apply to it.

Example

The same online news outlet uses cookies for behavioural advertising purposes, where it processes information about all visitors to its service to create profiles about them. It uses these to target adverts based on actual or inferred interests and behaviours.

The use of cookies for these purposes would result in the storage and access of information in the devices of all visitors to the website, regardless of their location. For visitors in the UK, this processing may constitute monitoring the behaviour of people in the UK and is therefore in scope of the UK GDPR. The news outlet must ensure its use of personal data complies with the law (eg by obtaining valid consent).

Further reading — ICO guidance

Overview — Data Protection and the EU

What if children are likely to access our online service?

PECR does not have specific provisions about children accessing your online service.

If you are processing children’s data, then you must ensure you are complying with the UK GDPR.

If your online service is likely to be accessed by a child, then you should conform with our Children’s code.

Further reading — ICO guidance