Guidance on the use of storage and access technologies
This updated guidance is in draft form for public consultation. The consultation will open on Friday 20 December 2024 and run until 5pm Friday 14 March 2025. The consultation will be available as a link from this page, along with our draft Impact Assessment.
Contents
What's new
About this guidance
Why have you produced this guidance?
What are storage and access technologies?
- What technologies does PECR apply to?
- Cookies
- Tracking pixels
- Link decoration and navigational tracking
- Device fingerprinting
- Web Storage
- Scripts / tags
- Using storage and access technologies in different contexts
What are the rules?
- What does PECR say about storage and access technologies?
- Who are subscribers and users?
- What is terminal equipment?
- What does ‘clear and comprehensive information’ mean?
- What does 'consent' mean?
- Do all storage and access technologies require consent?
- What is the ‘communication’ exemption?
- What is the ‘strictly necessary’ exemption?
- When do the exemptions not apply?
- Do the rules only apply to websites and web browsers?
- Do the rules apply to our internal network?
- Do the rules apply to public authorities?
- Do the rules apply to services based outside the UK?
- What if children are likely to access our online service?
How do the PECR rules relate to the UK GDPR?
- What is the relationship between PECR and the UK GDPR?
- What does the UK GDPR say about storage and access technologies?
- How does PECR consent fit with the lawful basis requirements of the UK GDPR?
- What does PECR say about subsequent processing?
How do we comply with the rules?
- Who is responsible for compliance?
- How do we consider PECR when designing a new online service?
- What do we need to consider if we use someone else’s technologies on our online service?
- How do we tell people about the storage and access technologies we use?
- How do we tell people about storage and access technologies set on websites that we link to?
- Can we pre-enable any non-essential storage and access technologies?
- How long can we store or access information for?
- What is an audit and how can we do one?
How do we manage consent in practice?
- When do we need to get consent?
- Who do we need consent from?
- How do we request consent?
- Can we use pop-ups and similar techniques?
- Our expectations for consent mechanisms
- Can we rely on settings-led consent?
- Can we rely on feature-led consent?
- Can we rely on browser settings and other control mechanisms for consent?
- Can we use ‘terms and conditions’ to gain consent?
- Can we bundle consent requests?
- How often do we need to request consent?
- What if our use of storage and access technologies changes?
- How do we keep records of user preferences?
- What if a user withdraws their consent?
How do the rules apply to online advertising?
- Do we need consent for tracking and profiling for online advertising?
- Does ad measurement require consent?
- What types of online advertising can we use?
- Can we use ‘cookie walls’ or ‘consent or pay’ models?