Skip to main content
Home

About this guidance

Contents

What's new

April 2026 update:

  • We have finalised this guidance following two consultations on the draft guidance: the significant update to the previous detailed cookies guidance in December 2024, and the consultation on the changes to PECR following the Data (Use and Access) Act in July 2025. We have summarised the responses to both consultations.
  • We have added two new sub-chapters: “what does a ‘simple means of objecting’ mean?” and “can we use the same storage and access technology for multiple purposes?”
  • There are minor changes to the content where we have sought to provide further clarity where requested in the consultation.
Previous updates

July 2025 update: 

  • We have updated this draft guidance to reflect changes to PECR following the Data (Use and Access) Act. 
  • We have added a new chapter “what are the exceptions?” to explain the exceptions to the prohibition on storing or accessing information on people’s devices. 
  • There are other minor changes throughout the guidance to reflect the updated rules.
  • Outside of the indicated updates, this guidance is still in draft form as per the December 2024 update. We will finalise it following the second consultation on the new chapter. 

Below we outline the changes at chapter level so past readers of the detailed cookies guidance can navigate the changes.

What are storage and access technologies?

This is a pre-existing chapter with new content to explain other storage and access technologies covered by PECR in more detail, alongside cookies.

What are the PECR rules?

This is a pre-existing chapter with some changes to the content, including added detail and new examples. This chapter now includes some sub-sections that were previously contained elsewhere in the guidance.

What are the exceptions?

This is a new chapter to explain the five exceptions to the prohibition on storing or accessing information on people’s devices.

How do the PECR rules relate to the UK GDPR?

This is a pre-existing chapter with minor changes to the content.

How do we comply with the PECR rules?

This is a pre-existing chapter which has been split into multiple chapters. This chapter includes refreshed examples and minor changes to the text of existing sub-sections, including some new policy lines.

How do we manage consent in practice?

This is a new chapter with some content from the previous ‘How do we comply with the PECR rules?’ chapter. It also includes new content to reflect our expectations for requesting consent, with examples of good and bad practice consent mechanisms.

How do the rules apply to online advertising?

This is a new chapter with mostly new content to provide clarity on how the rules apply to online advertising.

What happens if we don’t comply?

This is a pre-existing chapter with changes to reflect the changing PECR enforcement regime.

Glossary

This is a new resource.

 

December 2024 update: 

  • This guidance is a significant update to the detailed cookies guidance. It provides added clarity on our expectations for using other storage and access technologies as well as cookies.
  • We have rewritten the guidance using ‘must’, ‘should’, or ‘could’ language to provide regulatory clarity to readers.
  • The guidance reflects recent case law and our positions on key topics, including on our expectations for online advertising. 

Why have you produced this guidance?

This guidance explains how the Privacy and Electronic Communications Regulations (as amended) (PECR), and where relevant data protection law, apply when you use technologies that store information, or access information stored, on someone’s device (eg a computer or mobile phone).

Read it to understand the law and our recommendations for good practice.

Who is it for?

This guidance is aimed at providers of online services, including web or app developers, who need a deeper understanding of how PECR, and where relevant data protection law, apply to the use of storage and access technologies.

What does it cover?

The technologies PECR applies to include (but is not limited to):

  • cookies;
  • tracking pixels;
  • link decoration and navigational tracking;
  • local storage;
  • device fingerprinting; and
  • scripts and tags.

The guidance also covers the UK GDPR, where the use of these technologies involves processing personal data.

What doesn’t it cover?

Other areas of PECR outside of regulation 6, except where relevant to the use of storage and access technologies.

Wider compliance obligations with the Data Protection Act (DPA) and UK GDPR when using storage and access technologies, except for where they are relevant to PECR requirements.