Guidance on the use of storage and access technologies
Click to toggle details
Latest updates - last updated 29 April 2026
29 April 2026 - we have finalised this guidance following two consultations on the draft guidance: the significant update to the previous detailed cookies guidance in December 2024, and the consultation on the changes to PECR following the Data (Use and Access) Act in July 2025. We have summarised the responses to both consultations.
We have added two new sub-chapters: “what does a ‘a simple means of objecting’ mean?” and “can we use the same storage and access technology for multiple purposes?”
There are minor changes to the content where we have sought to provide further clarity where requested in the consultation.
07 July 2025
- We have updated this draft guidance to reflect changes to PECR following the Data (Use and Access) Act.
- We have added a new chapter “what are the exceptions?” to explain the exceptions to the prohibition on storing or accessing information on people’s devices.
- There are other minor changes throughout the guidance to reflect the updated rules.
- Outside of the indicated updates, this guidance is still in draft form as per the December 2024 update. We will finalise it following the second consultation on the new chapter.
20 December 2024 - this guidance was published
Contents
About this guidance
- What’s new?
- Why have you produced this guidance?
- Who is it for?
- What does it cover?
- What doesn’t it cover?
What are storage and access technologies?
- What technologies does PECR apply to?
- Cookies
- Tracking pixels
- Link decoration and navigational tracking
- Device fingerprinting
- Web storage
- Scripts or tags
- Using storage and access technologies in different contexts
What are the PECR rules?
- What does PECR say about storage and access technologies?
- Who are subscribers and users?
- What is terminal equipment?
- What does ‘clear and comprehensive information’ mean?
- What does ‘consent’ mean?
- Do the rules only apply to websites and web browsers?
- Do the rules apply to our internal network?
- Do the rules apply to public authorities?
- Do the rules apply to services based outside the UK?
- What if children are likely to access our online service?
What are the exceptions?
- Do all storage and access technologies require consent?
- What is the ‘communication’ exception?
- What is the ‘strictly necessary’ exception?
- What is the ‘statistical purposes’ exception?
- What is the ‘appearance’ exception?
- What is the ‘emergency assistance’ exception?
- What does ‘a simple means of objecting’ mean?
How do the PECR rules relate to the UK GDPR?
- What is the relationship between PECR and the UK GDPR?
- What does the UK GDPR say about storage and access technologies?
- How does PECR consent fit with the lawful basis requirements of the UK GDPR?
- What does PECR say about subsequent processing?
How do we comply with the PECR rules?
- Who is responsible for compliance?
- How do we consider PECR when designing a new online service?
- What do we need to consider if we use someone else’s technologies on our online service?
- How do we tell people about the storage and access technologies we use?
- How do we tell people about storage and access technologies set on websites that we link to?
- Can we pre-enable any non-exempt storage and access technologies?
- How long can we store or access information for?
- What is an audit and how can we do one?
How do we manage consent in practice?
- When do we need to get consent?
- Who do we need consent from?
- How do we request consent?
- Can we use pop-ups and similar techniques?
- Our expectations for consent mechanisms
- Can we rely on settings-based consent?
- Can we rely on feature-led consent?
- Can we rely on browser settings and other control mechanisms for consent?
- Can we use ‘terms and conditions’ to gain consent?
- Can we bundle consent requests?
- How often do we need to request consent?
- What if our use of storage and access technologies changes?
- Can we use the same storage and access technology for multiple purposes?
- How do we keep records of user preferences?
- What if a user withdraws their consent?
How do the rules apply to online advertising?
- Do we need consent for tracking and profiling for online advertising?
- Does advertising measurement require consent?
- What types of online advertising can we use?
- Can we use ‘cookie walls’ or ‘consent or pay’ models?