The Information Commissioner's Office (ICO) has released a draft update to its guidance on storage and access technologies, replacing the previous detailed cookies guidance. This update provides further clarity on compliance with the Privacy and Electronic Communications Regulations (PECR) and its relationship with the UK GDPR. The guidance places a stronger emphasis on consent requirements for cookies, tracking technologies, and Consent Management Platforms (CMPs).
Key Takeaways from the Updated ICO Guidance
1. Broader Scope Beyond Cookies
The ICO clarifies that PECR applies to all storage and access technologies, including:
- Cookies (first-party and third-party)
- Tracking pixels
- Device fingerprinting
- Web storage (localStorage, sessionStorage)
- Scripts and tags
- Link decoration and navigational tracking
If a technology stores or accesses information on a user's device, it falls under PECR and requires explicit consent unless an exemption applies.
2. Strict Consent Requirements for Third-Party Technologies
The updated guidance reinforces that third-party technologies used for tracking, advertising, and analytics must obtain explicit consent before accessing a user’s device.
Key points include:
- Third parties cannot store or access data on a user’s device before valid consent is obtained.
- Legitimate interests cannot be used as a legal basis for tracking; only explicit consent applies.
- Preloading tracking technologies before obtaining consent violates PECR.
3. No Exemptions for Analytics or Advertising
The ICO confirms that the only exemptions from the consent requirement under PECR are:
- The "communication exemption," which applies when storage or access is essential for transmitting a communication.
- The "strictly necessary exemption," which applies when the technology is essential for providing a service explicitly requested by the user.
Online advertising, audience measurement, and analytics do not qualify for these exemptions, meaning consent is always required.
4. Stricter Rules for Consent Management Platforms (CMPs)
The ICO acknowledges that many organizations use CMPs to manage user consent preferences. However, the guidance highlights compliance risks with third-party-hosted CMPs, particularly if they:
- Store or access information on a user’s device before consent is given.
- Load tracking scripts before obtaining valid consent.
To be compliant, organizations should:
- Host CMPs on their own first-party servers where possible.
- Obtain consent before any tracking technologies are activated.
- Provide granular consent options, allowing users to accept or reject different types of tracking.
- Make it as easy for users to withdraw consent as it is to give it.
5. Transparency Requirements for Consent Mechanisms
The ICO sets clear expectations for consent mechanisms, including:
- Users must be informed about which third parties will receive their data before they give consent.
- Pre-ticked checkboxes and implied consent (such as continued browsing) do not constitute valid consent.
- Users must be able to refuse tracking as easily as they can accept it.
- Websites cannot use consent or pay models (such as cookie walls) in a way that forces users to accept tracking to access essential services.
Conclusion
The ICO’s updated guidance makes it clear that prior, explicit, and informed consent is required for any third-party tracking technology. Websites must ensure that storage and access technologies are not deployed before users make an active choice.
Consent management must be transparent, with clear options for users to control their data. Organizations relying on third-party CMPs should carefully assess compliance risks, particularly regarding preloaded tracking scripts and the handling of consent records.
This guidance reinforces the UK’s alignment with EU privacy standards and strengthens the enforcement of PECR in the evolving digital landscape.
Best regards,
Ronni K. Gothard Christiansen
Creator, Aesirx.io
Concerned about your website’s compliance?
Take control of your website's compliance today. Use the AesirX Privacy Scanner to identify potential GDPR and ePrivacy Directive violations and proactively protect your brand and user trust, it's free and the full report is available for download.
For more on third-party risk and CMPs Read: Consent as a Service: Why Third-Party Solutions Lead to Non-Compliance.
