How does PECR apply to profiling tools?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
Why is PECR relevant to our use of profiling tools?
PECR applies to any technology that stores information, or accesses information stored, on a user’s device. We refer to these as ‘storage and access technologies’.
In some cases, your profiling tools might involve storage and access technologies. This means PECR applies to your use of them.
For example, PECR applies where you use information you store or access on a user’s device:
- as input data to your profiling tools; or
- to take moderation action on a user based on your profiling tool’s output.
PECR also applies where you use third-party profiling tools that involve storage and access technologies.
You must obtain prior consent to the UK GDPR standard for the use of storage and access technologies, unless an exemption applies. (See section on 'What are the requirements of PECR?' for more information).
Example
An online service deploys a behaviour profiling tool that collects and uses unique identifiers from user devices.
The tool detects that a particular user’s behaviour is in breach of the service’s terms of service.
The service then uses the tool to enact a device-level ban. It uses the unique identifier as a way of preventing that user from accessing the service.
PECR does not necessarily apply to the entirety of the processing that your profiling tools carry out. But if any stage of their operation involves storing information, or accessing information stored, on a user’s device, you must comply with PECR for these activities.
For the purposes of PECR, it does not matter whether this information is personal information or not. If you store information, or access information stored, on user devices, you must comply with PECR first, before you look into UK GDPR compliance.
However, in most cases it is likely the information you collect by storage and access technologies is personal information when used in your profiling tools. If this is the case, you must comply with the additional requirements of the UK GDPR, including identifying a lawful basis for the processing. We discuss the requirements of the UK GDPR and DPA 2018 throughout the following sections of this guidance.
If you have to obtain consent for your use of storage and access technologies, and the information you’re using is personal information, you should use consent as your lawful basis under the UK GDPR for subsequent processing. (See the section on How do we use profiling tools lawfully? and our draft guidance on the use of storage and access technologies for more information).
If you're using storage and access technologies as part of profiling children, you should also conform with our children’s code, if it applies to you.
What are the requirements of PECR?
PECR says that if you use storage and access technologies, you must:
- tell your users what they are;
- explain what they do; and
- obtain prior consent for their use.
Are there any exemptions?
Yes. PECR has two exemptions to these rules:
- the ‘communication’ exemption, where storage or access is for the sole purpose of a communication over an electronic communications network; and
- the ‘strictly necessary’ exemption, where storage or access is essential to provide the service the user requests.
Do the exemptions apply to our trust and safety related profiling tools?
The communications exemption is unlikely to apply to your profiling tools.
The strictly necessary exemption has a narrow scope. It only applies where the purpose of the storage or access is essential to provide your service at a technical level.
It is only relevant for ‘information society services’ (ISS) (ie a service delivered over the internet like a website or an app). User-to-user services in scope of this guidance are likely to be ISS.
The exemption may apply if you are using storage and access technologies to comply with other laws that apply to you. But if you can achieve compliance without using these technologies, you can’t rely on the exemption.
This means you have to:
- consider whether using the technology is the only reasonable and proportionate way to comply with the requirements of the other law; and
- ensure you only use it for the purpose of complying with that law.
If using storage and access technologies to carry out profiling is the only reasonable and proportionate way to comply with your OSA duties, you do not need to get consent.
If you can achieve your aims in a less intrusive way, the exemption won’t apply. This means you must:
- get consent; or
- reconsider the use of the technology in your profiling tools.
If you use third-party providers of profiling tools, you are responsible for:
- understanding the storage and access technologies you use and their purposes; and
- ensuring that your use of them complies with PECR.
- For more information on this part of PECR, read our draft guidance on the use of storage and access technologies
- Children’s code
- ‘Likely to be accessed’ by children guidance