ICO Sets The Record Straight On Storage And Access Technologies

On 11 September 2025, the ICO addressed common misconceptions on how data protection law (in particular the Privacy and Electronic Communications Regulations 2003, or 'PECR') governs the use of storage and access technologies ('SAT'), like cookies and tracking pixels. The ICO recommends that now is a good time for organisations to review their approach, especially in light of the Data (Use and Access) Act 2025 ('DUAA 2025') coming into force.

Why does this matter to you?

The ICO's latest update forms part of its wider strategy on online tracking, shaped by its recent findings, which found that:

• 30% of the top 100 UK websites have been setting advertising cookies without valid consent;
• 60% of cookie-related complaints in 2024 involved users not being given the option to reject non-essential tracking; and
• 134 out of the top 200 UK websites failed to meet cookie compliance standards.

This signals a clear enforcement trend. The ICO is cracking down on non-compliance, aiming to create a "level playing field" where users have meaningful control over how their data is used.

What do you need to know?

The key takeaways from the ICO's update are:

1. PECR applies to all information not just personal data

PECR protects the subscriber/user's device, regardless of whether the information is personal data. However, if personal data is involved, UK GDPR also applies.

2. The 'strictly necessary' exception is narrow

The position in PECR is clear and remains unchanged: organisations cannot use SATs unless (1) the subscriber or user is given clear and comprehensive information about the purpose of the SATs and they consent to their use (PECR, regs 6(1)-(2)), or (2) an exemption applies.

The 'strictly necessary' exemption (PECR, reg 6(4)(b)) permits the use of SATs without consent when the SAT is essential to provide the service. However, this means the storage or access must be essential to provide a service that the subscriber or user has requested, not purposes that the service provider deems necessary to achieve its own objectives. To put it another way, when considering the strictly necessary exemption it is appropriate to consider the technology from the user's perspective.

The DUAA 2025 has reinforced this narrow approach in Schedule A1, para 4, noting examples of when the use of SATs are considered strictly necessary, such as:

• Protecting information related to the provision of the service.
• Ensuring the subscriber or user's terminal equipment is kept secure.
• Preventing or detecting fraud.
• Preventing or detecting technical faults.
• Enabling automatic authentication of the identity of a subscriber or user.
• Maintaining a record of the subscriber or user's selections made on the website.

For example, authentication cookies identify the user and allow them to see authorised content. The user explicitly requests access to the content when logging in, and the authentication functionality is essential to give them access to restricted content.

3. The ICO is not overly focused on online advertising

It is clear that the bulk of the ICO's enforcement action for non-compliant SATs is focused on online advertising technologies. However, there is logic to such a focus – these technologies can lead to harm (e.g. unwanted profiling, discriminatory targeting, or exposure to misleading content) and have influence over individuals' decision making.

4. Legitimate interests will be unavailable where non-exempt SATs are used

If PECR requires consent for the use of non-exempt SATs and personal data is processed, consent is also the lawful basis that is required to process personal data – in other words there cannot be a bifurcated approach whereby consent is required for the purposes of PECR and legitimate interests for the purposes of the UK GDPR.

Additionally, once consent is obtained, the legal basis cannot be changed to legitimate interests for subsequent processing activities.

Bottom line: if PECR says consent, UK GDPR must follow suit.

What's next?

• A separate consultation on the ICO's draft guidance on the use of SATs closed on 26 September 2025. The feedback will inform a formal statement from the ICO which is expected in January 2026, outlining:
  • Advertising practices that are, in the ICO's view, low-risk and are unlikely to trigger enforcement action under PECR.
  • Expected safeguards to protect people's privacy when deploying such low-risk advertising practices.
• A certification scheme is in development to help organisations demonstrate compliance.
• The ICO is also working with the government on legislative changes (e.g. new exemptions) to support privacy-friendly advertising practices (e.g. contextual advertising and privacy-preserving measures).

For now, the ICO's message is clear: organisations must ensure users have genuine choice and control over how they are tracked online. This means staying on top of evolving guidance and implementing compliant, user-centric data practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.