Skip to main content
Home

What are the rules?

Download options

Contents

At a glance

  • You must tell users about any storage and access technologies you use and explain what they do. You must obtain prior consent to the UK GDPR standard for their use, unless an exemption applies.
  • There are two exemptions to the consent requirement: the ‘communication exemption’ and the ‘strictly necessary’ exemption.
  • For the ‘communication’ exemption to apply, the transmission of the communication must be impossible without the use of the particular storage and access technology.
  • The ‘strictly necessary’ exemption applies when the purpose of the storage or access is essential to provide the service the subscriber or user requests.
  • If you are a UK-based organisation but host your online service overseas, you must still comply with PECR.

In detail

What does PECR say about storage and access technologies?

Regulation 6 states:

“A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.”

This means that, unless an exemption applies, if you use any storage and access technologies you must:

  • tell the subscriber or user what the technologies are;
  • explain what they do; and
  • obtain prior consent for their use.

 Who are subscribers and users?

These rules apply to the ‘terminal equipment’ of the ‘subscriber or user’.

The ‘subscriber’ is the person named on the bill for the supply of the service. For example, the telephone line or internet connection.

The ‘user’ is the person actually using the device to access the service.

In many cases the subscriber and the user may be the same. For example, someone that uses their computer or mobile device to access an online service over the broadband connection they pay for.

However, this is not always the case. For example, if a family member visits that subscriber’s home and uses the internet connection to access a service from their own device, they are a user.

What is terminal equipment?

‘Terminal equipment’ means someone’s device. The term is broad, and includes:

  • desktop or mobile devices; and
  • other connected devices, eg smart TVs, wearables, connected vehicles and other ‘Internet of Things’ (IoT) devices.

What does ‘clear and comprehensive information’ mean?

For most uses of storage and access technologies, PECR says you must provide ‘clear and comprehensive information’ about the purposes you want to use them for.

PECR does not define what ‘clear and comprehensive’ information means. However, in practice this refers to the UK GDPR’s transparency requirements, the right to be informed and the conditions for consent. 

This means when you use storage and access technologies, you must provide the same kind of information to subscribers and users as you have to when you process their personal data. And in some cases, your use of the technologies will involve the processing of personal data anyway.

The information must include:

  • what storage and access technologies you plan to use;
  • the purposes for which you plan to use them;
  • whether any third parties either store or access information in the user’s device, or receive this information; and
  • how long you intend to store or access information (eg the duration of any cookies you want to set).

These requirements apply to your use of any storage and access technologies, including those you incorporate from other organisations (eg online advertising networks or social media platforms).

What does ‘consent’ mean?

Regulation 2(1) of PECR states that:

“ ‘consent’ by a user or subscriber corresponds to the data subject’s consent in the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018).”

This means that, for PECR, the UK GDPR definition of consent applies.

The UK GDPR defines consent in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

The UK GDPR also includes specific requirements for consent. It says that:

  • you must able to demonstrate that you have valid consent;
  • your consent requests must be ‘clearly distinguishable from other matters’ — ie they must not be bundled as part of terms and conditions wherever possible;
  • your consent requests must be in an intelligible and easily accessible form, using clear and plain language;
  • your consent mechanism must allow people to withdraw their consent at any time; and
  • you must make it as easy for people to withdraw consent as it is for them to give it.

For storage and access technologies in PECR, this means that:

  • you must ensure consent involves a clear and positive action from a subscriber or user. For example, continuing to use your website does not constitute valid consent, nor does the use of a pre-ticked box or equivalent;
  • you must clearly inform subscribers or users about what storage and access technologies you want to use, what they do and what purposes you want to use them for before they consent;
  • you must clearly and specifically name any third parties whose storage and access technologies subscribers or users are being asked to consent to. This includes when you are using storage and access technologies which may appear to be coming from the host domain, but are being used by a third party;
  • you must not use any storage or access technologies for non-essential purposes before the subscriber or user has given consent;
  • you must enable subscribers or users to refuse the use of storage and access technologies for non-essential purposes as easily as they can accept; and
  • you must provide users with controls over any use of storage and access technologies for non-essential purposes.

Do all storage and access technologies require consent?

No — PECR has two exemptions to these rules. They are:

  • the ‘communication’ exemption — where storage or access is for the sole purpose of the transmission of a communication over an electronic communications network; and
  • the ‘strictly necessary’ exemption — where storage or access is strictly necessary to provide the service the subscriber or user requests;

Relevant provisions in PECR

See Regulation 6(4)

What is the ‘communication’ exemption?

The communication exemption is about the transmission of a communication over an electronic communications network.

Three elements are necessary for a communication to take place over a network between two parties:

  • the ability to route information over a network by identifying the communication ‘endpoints’ — devices that accept communications across that network;
  • the ability to exchange data items in their intended order; and
  • the ability to detect transmission errors or data loss.

The communication exemption covers the use of storage and access technologies that fulfil one (or more) of these properties, but only for the sole purpose of the transmission.

For this exemption to apply, the transmission of the communication must be impossible without the use of the particular storage and access technology. 

Common examples include:

Activity Likely to meet the communication exemption?
Session cookies for load balancing purposes, with the sole purpose of identifying which server in the pool the communication will be directed to.
Device fingerprinting techniques, solely for network management purposes.

What is the ‘strictly necessary’ exemption?

The ‘strictly necessary’ exemption applies when the purpose of the storage or access is essential to provide the service the subscriber or user requests.

This means that without it, the service couldn’t be provided on a technical level.

Importantly, the exemption only applies to ‘information society services’ (ISS) — ie a service delivered over the internet, such as a website or an app. If you are running an online service, it is likely that the service is an ISS.

The exemption also covers the use of storage and access technologies to comply with any other legislation that applies to you, for example, the security requirements of data protection law. However, this exemption does not apply if there are ways that you can comply with this other legislation without the use of storage and access technologies.

You should assess ‘strictly necessary’ from the point of view of the subscriber or user, not your own. For example, you might view the use of advertising cookies as ‘strictly necessary’ because they bring in revenue that funds your service. However, they are not ‘strictly necessary’ from the user’s perspective.

What activities are likely to meet this exemption?

The following activities are likely to meet the exemption:

  • ensuring the security of terminal equipment;
  • preventing or detecting fraud;
  • preventing or detecting technical faults;
  • authenticating the subscriber or user; and
  • recording information or selections the user makes on an online service.

Some of these examples may apply to you, depending on how your online service functions.

Activity Likely to meet the strictly necessary exemption?
Remembering the goods a user wishes to buy when they go to the online checkout or add goods to their shopping basket.
Complying with the security requirements of data protection law for an activity the user has requested. For example, in connection with online banking services.
Identifying a user once they have logged in to an online service for the duration of their visit to the site. For example, to prevent a new login prompt on an online banking service each time the user loads a new page.  
Using link decoration to authenticate a user.

Session cookies used to store a user's preference can rely on the strictly necessary exemption, provided they are not linked to a persistent identifier.

The exemption may in some cases also apply to persistent cookies, but the user must be given sufficient information in a prominent location. For example, cookies used as part of a cookie consent mechanism, which remember the user's cookie preferences over a period of time (eg 90 days), can be exempt.

Alternatively, the act of interacting with the consent mechanism can be sufficient for consent to be obtained for any cookies relating to that mechanism, provided the user is given clear and comprehensive information as to the fact that a persistent cookie will be set on their device for the purpose of remembering their consent preference.

However, the information accessed must be used solely for this purpose. Any secondary purposes mean the exemption would not apply.

Streaming content:

The use of storage and access technologies to provide streaming content can be exempt in some circumstances.

For example, if your service is an online content provider, then you can rely on the exemption for purposes that relate to the technical provision of the content. This is because accessing the video or audio is part of the service the user has requested.

However, the exemption does not extend to other purposes, such as content personalisation or usage monitoring.

If your service includes content hosted on these platforms (eg if you have posted a video on your organisation’s YouTube channel) then:

  • you should configure the embedded content not to set storage and access technologies the instant someone visits the page with it on, including for analytics purposes. 
  • you should tell the user underneath the embed that if they choose to press “play”, storage and access technologies will be used (you should use a “privacy mode” where available). This will not require consent, as the user has been informed and wants to access the content.

When considering how to manage your use of embedded videos, you could:

  • add a consent request into your existing mechanism; or 
  • use a “just-in-time” approach to seek consent on particular pages where the videos are included.

Alternatively, you could consider using external links instead of embedded videos.

Adding a consent request for embedded videos into your consent mechanism may seem like the simplest option. However, if you do this, you must provide clear and comprehensive information to your users about what this means for them. For example, by saying that: 

  • if they enable the storage and access technologies, then this may result in the video sharing platform collecting information about their viewing (eg for analytics and advertising purposes); and
  • if they don’t enable the storage and access technologies, then they will see external links to the videos instead. 

You should configure your use of these external services in the most privacy-friendly way possible. What this involves depends on the controls and functions available on your service.

(in some circumstances).

Also, if you say your use of a particular technology is strictly necessary because of the purpose (eg security) you must ensure that you only use it for this purpose. If you use it for any other purpose as well, the exemption does not apply and you must then get consent.

When do the exemptions not apply?

This section is an indicative list of common purposes that you may use storage and access technologies for. You must obtain consent for these purposes because they do not meet either of the exemptions.

Activity Why the exemptions do not apply
Social media plugins and tracking technologies

If you decide to use social media plugins or other tracking technologies on your service, you must be aware of what these technologies do and how they work.

Where a user of your online service is also logged in to a social media platform, and your service includes plugins and other tools provided by that platform, they might expect to be able to use these plugins as part of their interaction with the social network.

In such cases, the storage and access of information by these plugins can be strictly necessary for the functionality the user has requested on your service.

However, this does not apply to non-logged in users of that social media platform — whether these are users who have logged out, or users that are not members of that network.

So, you must get consent for any use of social plugins, unless you configure them to only store or access information on devices that logged-in members of the social media platform use.

Where a social media plugin, script, cookie or other technology tracks users, the exemption will not apply.

Therefore, you must obtain consent for the use of social media tracking technologies you include in your online service. This applies whether or not your users are members of the social network in question.
Cross-device tracking You must get consent for any cross-device tracking you want to do. The use of storage and access technologies to link a particular user across sites and devices is not strictly necessary to provide your service.
Online advertising

If your service uses storage or access technologies for the purposes of online advertising, you must get consent. You cannot rely on the strictly necessary exemption. Online advertising purposes are not exempt from PECR's consent requirements and never have been.

This includes any advertising-related purpose, including (but not limited to) things such as frequency capping, ad affiliation, ad measurement and performance, click fraud detection, market research, product improvement or debugging.

You must also get consent if you are using device fingerprinting techniques for online advertising purposes. Your users are often unaware that this processing is taking place and that it involves creating profiles of users across different services over time to serve targeted advertising.
Analytics

You still must obtain consent for all analytics purposes, as they cannot be considered strictly necessary for the provision of the service.

This includes storage and access technologies for web analytics purposes which are intended to monitor or track individual visitors to your service. For example:

  • Logs or recordings of individual visitors to your website and the actions they took;
  • Connecting a visitor ID to their site activity, for example, where users purchased a product on your website (‘conversions’) to be shared with advertising partners;
  • Tracking or profiling individual visitors or categories of visitors, for example, based on their IP address or the pages they visited on your website; or
  • Monitoring the browsing of website visitors across different services and applications.

Do the rules only apply to websites and web browsers?

No. The rules cover any use of storage and access technologies. This means they are not limited to particular environments or software, eg traditional “desktop” websites and web browsers.

For example, mobile apps commonly use embedded software development kits (SDKs) or other frameworks. These can be used for a range of purposes, such as app analytics tracking or embedding functionality like logins or payment features. This involves storing information (or accessing information stored) on the device. 

However you provide your online service — eg a website, a mobile app, or anything else — you are responsible for understanding the behaviour of any software components the service includes that may store information, or access information stored, on a user’s device. This is particularly important where your service incorporates someone else’s software component, eg third-party code.

The rules also apply when you collect or monitor information that terminal equipment automatically emits, such as Wi-Fi probe requests.

Do the rules apply to our internal network?

The rules do not apply in the same way to intranets. An intranet is unlikely to be a public electronic communications network, and therefore PECR would not apply in the same way. Similarly, PECR is unlikely to apply if you extend your private network to trusted third parties with access controls.

However, wherever you collect personal data using storage and access technologies, including via an intranet, the requirements of data protection law still apply.

Similarly, you must consider data protection requirements if you are using information from storage and access technologies for monitoring your workers, for example.

Do the rules apply to public authorities?

Yes. These rules apply to any organisation running an online service, including public authorities.

Do the rules apply to services based outside the UK?

If you are a UK-based organisation but host your online service overseas, you must still comply with PECR. For example, if you use cloud services based in Europe or the USA.

PECR does not have specific rules about organisations who are based outside the UK and whose services are accessible in the UK. But, if those services process personal data then the UK GDPR may apply.

Online services with global availability won’t automatically have to comply with the UK GDPR just because people in the UK can access them. However, where you are processing data which:

  • relates to the offer of goods or services to people in the UK; or
  • monitors the behaviour of people in the UK,

you must comply with the UK GDPR. If you don’t tell people about how you use storage and access technologies to process their personal data, your processing won’t be fair, lawful or transparent.

If you are based overseas but don’t offer goods or services in the UK or monitor the behaviour of people in the UK, then you could implement appropriate technical and organisational measures to demonstrate this. For example by:

  • making clear and accurate statements to this effect on the service (eg in the privacy information or similar);
  • not using any storage and access technologies to monitor UK user behaviour; or
  • preventing users from accessing your service (eg via IP address blocking).

However, implementing any of the above measures will not automatically mean that your organisation would be out of scope of the UK GDPR. Rather, it would depend on your organisation’s specific circumstances.

Example

An online news outlet based outside the UK but accessible to people within the UK may not be in scope of the UK GDPR, depending on its circumstances.

The outlet may carry news reports relating to the UK, but if this content is directed at people within the outlet’s own country or territory, rather than people in the UK, then it will not be in scope of the UK GDPR even if those people can access the news reports online.

However, if the outlet intends to have a 'global' reach then it obviously means to offer its service to anyone, including people in the UK. In this instance, it must consider whether the UK GDPR’s territorial provisions apply to it.

Example

The same online news outlet uses cookies for behavioural advertising purposes, where information about all visitors to its service is processed to create profiles about them. These are used to target adverts based on actual or inferred interests and behaviours.

The use of cookies for these purposes would result in the storage and access of information in the devices of all visitors to the website, regardless of their location. For visitors in the UK, this processing may constitute monitoring the behaviour of people in the UK and is therefore in scope of the UK GDPR. The news outlet must ensure its use of personal data complies with the law, eg by obtaining valid consent.

What if children are likely to access our online service?

PECR does not have specific provisions about children accessing your online service.

If you are processing children’s data then you must ensure you are complying with the UK GDPR.

If your online service is likely to be accessed by a child then you should conform with our Children’s code.