The ICO’s consultation on its updated guidance on storage and access technologies, which is set to replace its former guidance on cookies and similar technologies, closes on 14 March. While the fundamentals (PECR and UK GDPR compliance, valid consent) remain the same, here are the key changes at a glance:
The draft now expressly covers more than cookies, including link decoration, fingerprinting, pixels, and scripts/tags. This refines what must be disclosed and consented to.
The guidance uses these terms to show legal requirements vs. recommended good practice. This makes it easier to distinguish mandatory steps from advisable ones.
Strengthened language confirms all ad-related tracking (including measurement and frequency capping) requires consent. Exemptions are unlikely to apply to analytics or advertising.
The guidance contains detailed examples to illustrate good/bad consent banners. “Cookie wall” approaches, if they block site access unless a user agrees to be tracked, likely fail the “freely given” consent requirement. Further guidance on “consent or pay” models will follow later this year.
The draft reaffirms strictly necessary and communication exemptions apply narrowly and do not cover analytics, even if used “lightly” (e.g. just IP-based tracking).
The draft reiterates that if personal data is processed, PECR compliance (i.e. consent for the tracking) must come first. Organisations cannot later swap that consent for “legitimate interests.”
Reminds organisations that non-compliance may attract regulatory action, though fines are more likely for serious or repeated breaches.
Organisations have until 14 March 2025 to review and respond to the ICO’s consultation. The final guidance will replace the current ICO cookies PDF upon publication.
For more information, please contact Andrew Roberts.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up
