ICO updates storage and access guidance: compliance changes following the Data (Use and Access) Act

The Information Commissioner’s Office (ICO) has published updated guidance on “storage and access technologies”, replacing the 2019 guidance on cookies and similar technologies. 

Along with some new and expanded sections, the update aligns with the recently passed Data (Use and Access) Act (DUAA) and resulting amendments to the Privacy and Electronic Communications Regulations (PECR). 

Here is an analysis of the key changes and the DUAA’s new exceptions to the consent requirement. 

From ‘cookies’ to ‘storage and access’ 

The guidance gets an intentional rebrand.  

While the previous guidance focused heavily on cookies, the new text clarifies that Regulation 6 of PECR applies to the function of storing or accessing information on a user’s device, regardless of the technology used. 

This includes: 

• Cookies 
• Tracking pixels 
• Link decoration and navigational tracking 
• Web storage (local storage) 
• Device fingerprinting 
• Scripts and tags 
• Connected devices (IoT) 

Five exceptions to consent 

A significant development in the guidance is the expansion of PECR’s exceptions.  

Previously, only “communication” and “strictly necessary” purposes were exempt from the consent requirement. Post-DUAA, Schedule A1 of PECR will list five circumstances where storage or access is permitted without consent: 

1. Communication: For the sole purpose of carrying out the transmission of a communication over an electronic communications network. 
2. Strictly necessary: Where storage or access is essential to provide the information society service requested by the subscriber or user. 
3. Statistical purposes: For collecting information to improve the service (analytics). 
4. Appearance: For adapting the appearance or functionality of the service to the user’s preference. 
5. Emergency assistance: For identifying the location of a subscriber or user to provide emergency assistance. 

Strict interpretation of exceptions 

The ICO maintains a narrow interpretation of the PECR exceptions.  

You must use the technology solely for the specific exempt purpose. If you use the data for a secondary purpose, the exception does not apply, and you must obtain consent. 

Regarding the “strictly necessary” exception, the guidance provides granular detail on social media plugins. These are only considered strictly necessary for users who are already logged into that specific social media platform. For non-users or logged-out users, you must obtain consent. 

The “statistical purposes” exception replaces the previous regulatory forbearance regarding first-party analytics.  

The 2019 guidance suggested that the ICO was unlikely to prioritize enforcement against low-risk analytics. The 2025 guidance removes this language. You must now either meet the strict criteria of the statistical exception or obtain consent. 

Design standards for consent mechanisms 

The guidance provides prescriptive rules on interface design, explicitly targeting “dark patterns” and compliant banner structures. 

• Refusing consent must be as easy as accepting it. 

• A “Reject all” button must be displayed with equal prominence to the “Accept all” button on the first layer. 

• Hiding refusal options within a “More options” or “Settings” menu is non-compliant. 

• Silence or inactivity does not constitute consent. 

• Pre-ticked boxes or pre-enabled non-exempt technologies remain unlawful. 

Online advertising and the supply chain 

A dedicated chapter on online advertising clarifies the lawful bases available for this activity. The ICO states that advertising purposes are not exempt from the consent requirement and “never have been”. 

This applies to the entire ad-tech supply chain, not just the delivery of the creative asset. 

• Frequency capping 

• Ad affiliation and attribution 

• Ad measurement and performance analysis 

• Click fraud detection and debugging in an advertising context. 

You cannot rely on “legitimate interests” under the UK GDPR for these activities if PECR requires consent. 

Cookie walls and forced consent 

The guidance addresses “consent or pay” models and cookie walls, reiterating that consent must be freely given. 

• A “take it or leave it” approach where users must accept tracking to access the service is generally non-compliant. 

• Bundling consent as a condition of service is prohibited unless the storage is strictly necessary for the provision of that service. 

Definitions and technical clarity 

The ICO has introduced a glossary to standardise terminology and assist developers. 

• Client: A system (e.g. a web browser) that requests activity from a server. 

• First party: The online service the user is visiting (e.g. the domain in the address bar). 

• Third party: An organization distinct from the online service the user is visiting (e.g. an analytics provider). 

• Software Development Kit (SDK): Tools used for developing applications, often including third-party code. 

Actionable steps for controllers 

Organizations should review their current implementation of storage and access technologies against this new guidance. 

• Conduct an audit to identify all storage and access technologies, including pixels and SDKs. 

• Classify each technology against the five new exceptions. 

• Update consent mechanisms to ensure “Reject all” is equally prominent to “Accept all”. 

• Ensure no non-exempt technologies are triggered before a positive opt-in. 

• Review agreements with third-party advertising partners to ensure valid consent flows down the chain. 

You might also like to read: