Skip to main content
Home

About this guidance

Download options

Contents

Why have you produced this guidance?

This guidance explains how the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) and where relevant, data protection law apply when you use technologies that store information, or access information stored, on someone’s device (eg a computer or mobile phone).

Read it to understand the law and our recommendations for good practice.

Who is it for?

This guidance is aimed at providers of online services, including web or app developers, who need a deeper understanding of how PECR applies to the use of storage and access technologies.

What does it cover?

The technologies PECR applies to include (but is not limited to):

  • cookies;
  • tracking pixels;
  • link decoration and navigational tracking;
  • local storage;
  • device fingerprinting; and
  • scripts and tags.

The guidance also covers the UK GDPR, where the use of these technologies involves the processing of personal data.

What doesn’t it cover?

Other areas of PECR outside of Regulation 6, except where relevant to the use of storage and access technologies.

Wider compliance obligations with the Data Protection Act (DPA) and UK GDPR when using storage and access technologies, except for where they are relevant to PECR requirements.

How should we use this guidance?

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations mustshould, and could do to comply.

Legislative or legal requirements

Must refers to:

  • legislative requirements within the ICO’s remit; or
  • established case law (for the laws that we regulate) that is binding.

Good practice

  • Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there is a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.
  • Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply.​​​​​​​

This approach only applies where indicated in our guidance. We will update other guidance in due course.