The Information Commissioner’s Office (“ICO”) has published a consultation on its updated guidance on the use of storage and access technologies.

The guidance seeks to clarify how the Privacy and Electronic Communications Regulations 2003 (“PECR”) apply to providers of online services that store information or access information stored on someone’s device (such as cookies, tracking pixels, or device fingerprinting). By employing a taxonomy of action that organisations must, should, and could take in order to comply with the relevant rules, the guidance addresses matters such as who is responsible for compliance, how long information can be stored or access, and how to tell people what technologies are employed.

The guidance also provides helpful explanations about the nature of each of the various forms of storage and access technologies, and makes clear that, unless an exemption applies, organisations that employ them must: (a) tell the subscriber or user what the technologies are; (2) explain what they do; and (c) obtain prior consent for their use.

Expanding upon the requirement in the PECR that organisations must provide “clear and comprehensive information” about the purposes for which that they wish to use the technologies, the guidance explains that such information must include: (1) what storage and access technologies an organisation plans to use; (2) the purposes for which the organisation plans to use them; (3) whether any third parties either store or access information in the user’s device, or receive this information; and (4) how long the organisation intends to store or access the information.

The guidance also considers the relationship between the PECR on the one hand, and the Data Protection Act 2018 (“DPA”) and UK GDPR on the other. It sets out that the rules in the PECR take precedence over the DPA and UK GDPR such that where storage and access technologies are employed, organisations must consider PECR compliance first before going on to think about the UK GDPR. Helpfully, it sets out a user-friendly diagram about the relationship between the two regimes, reproduced below:

There is also lengthy guidance on how to manage consent in practice, in which the ICO makes clear that organisations “must provide clear and comprehensive information so that [their] users understand what [the organisation] want[s] their consent for and what choices they have”. It recognises that techniques such as banners, pop-ups, and message boxes offer obvious and attractive means to comply, but the ICO warns that organisations should consider their implementation carefully. This includes, for example, considering how messages designed for display on a desktop may appear on a mobile device, generally ensuring that “electronic consent requests should not be unnecessarily disruptive”, and not attempting to obtain consent via terms and conditions. It also provides helpful visual examples of how pop-ups and messages should be designed.

Finally, the guidance has a separate section dedicated to how the rules apply to online advertising. It confirms that the use of storage and access technologies for online advertising purposes requires consent, both in the context of the technical processes involved in ad selection and delivery, as well as any associated tracking and profiling. Furthermore, it explains that the use of these technologies is not strictly necessary since, on a technical level, the service can be provided without any advertising. As a result, organisations must clearly explain whom their data will be shared with, for what purpose, and how the user can exercise control over this processing.

The guidance also touches briefly on the use of ‘cookie walls’ and ‘consent or pay’ models that require users to accept the setting of storage and access technologies before they can access an online service’s content. The guidance explains that if a model effectively amounts to requiring a user to agree to tracking before they can access a service (what the ICO describes as a ‘take it or leave it’ approach) this will not comply with the requirement for consent to be freely given. It is clear that organisations “must not bundle consent up as a condition of the service unless it is necessary for that service”. As for consent or pay models, the ICO explains that they raise ‘complex’ issues and confirms that it will provide specific guidance on this subject in due course.

The consultation on the updated guidance is open until 14 March 2025, and it can be read in full here.