We previously examined the changes to the cookies regime in our article: The Data (Use and Access) Act 2025: cookies, what is changing and what you need to know. Now, the Information Commissioner's Office (ICO) has published its finalised guidance on Storage and Access Technologies (SATs) and updated its online tracking strategy: Guidance on the use of storage and access technologies | ICO. The guidance details how the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and where applicable, the UK General Data Protection Regulation (UK GDPR), apply to cookies, tracking pixels, device fingerprinting and similar technologies. The guidance incorporates updates arising from two rounds of consultation and changes introduced by the Data (Use and Access) Act 2025 (DUAA), providing new examples and clarifications to help organisations comply with the law. The guidance is separate from the ICO's ongoing review of regulation 6 of PECR 2003 related to online advertising, on which further updates are to follow in the coming weeks which we will monitor. Importantly, under the DUAA, a key change to the PECR is a significant increase in the maximum enforcement fines; aligning the PECR regime with the UK GDPR penalty framework (up to £17.5m or 4% of global annual turnover, whichever is higher for certain PECR breaches).
In scope technology
By way of a reminder; the PECR applies to any technology that stores information, or accesses information stored, on a subscriber’s or user’s ‘terminal equipment’, such as:
- cookies;
- tracking pixels;
- link decoration and navigational tracking;
- web storage;
- fingerprinting techniques; and
- scripts and tags.
This guidance reflects the recent changes in the law on SATs, and moves the focus away from cookies to the use of this broader term and technologies.
DUAA changes
The guidance reflects the new DUAA exceptions to consent (emergency assistance, statistical purposes and appearance exception) which are formally incorporated into the guidance. If usage goes beyond these exceptions, consent must be obtained. The guidance details each exception and considers practical examples which will be helpful to organisations in their compliance reviews.
Practical steps
In addition to applying the exemptions, the guidance sets out the following practical considerations to comply with the PECR:
- consider SATs as part of the design and implementation of service/ business practices;
- put in place appropriate arrangements with any third parties being used to provide a service;
- provide clear and comprehensive information about the SATs being used;
- explain SATs in a way that anyone visiting the service can understand;
- non-exempt SATs must not be pre-enabled;
- PECR does not specify how long SATs can be used for; consideration should be given to the appropriate duration in relation to the circumstances of the online service and for the purpose for which the technology is used; and
- undertake regular reviews of online services, as well as any SATs it includes.
Next steps
Aside from understanding and implementing the practical compliance steps above, organisations might now consider the below:
- undertake an audit of SATs;
- consider application of exemptions;
- update privacy notices;
- update cookie/SATs policy; and
- revisit cookie/SATs banner.
In light of the ICO’s expanding guidance and enforcement focus on SATs, coupled with materially increased PECR penalties as described above, organisations should treat cookies and other in scope SATs as a central element of their data governance framework and review relevant documentation to reflect the updated laws and guidance.
