ICO sets out approach to storage, access and online tracking

The guidance is aimed at online service providers and clarifies the application of UK data protection and e-privacy laws to cookies as well as other storage and access technologies such as tracking pixels, device fingerprinting and similar technologies. It newly addresses, amongst others:

• Exceptions to the prohibition on storing or accessing information on users’ devices under the Privacy and Electronic Communications Regulations 2003 (PECR): guidance on scope of the “statistical purposes” and “website appearance” exemptions introduced by the Data (Use and Access) Act 2025, clarification on how to interpret the “strictly necessary” exception from the user’s perspective and the need for information and a simple means of objecting.
• Management of consent: when and how to obtain consent and from whom, examples such as how use of tracking pixels applies to affiliate marketing consent, as well as the extent to which storage and access technologies can be used for multiple purposes.
• Interplay with the GDPR: further examples on the use of different lawful bases for subsequent processing of personal data.
• Online advertising: how the rules on storage and access technologies apply to online advertising, including “consent or pay” models. The ICO notes that the outcome of its review of Regulation 6 PECR, in the context of online advertising, will separately be the subject of recommendations to the UK government “in the coming weeks”.

On the same day, the ICO also published its latest update on actions it has taken to promote compliance with online tracking laws. Its April 2026 update calls out ICO actions, amongst others, to:

• Provide clarity on data protection law requirements: through the guidance, industry engagement and use of its Regulatory Sandbox.
• Support easier adoption of privacy-friendly online advertising: through the ICO’s review of PECR application to online advertising.
• Ensure meaningful control over tracking online, on apps and connected devices: through the ICO’s 1000 website cookie banner review, with design engagement with software companies that provide businesses with cookie banners and by developing guidance (to follow) on use of Internet of Things.
• Investigate compliance of the adtech ecosystem: focusing on data management platforms e.g. regarding validity of consent.
• Monitor and guide use of “consent or pay” models: providing guidance to assist in adoption.

The guidance on the use of storage and access technologies is available here, the ICO press release is available here and the online tracking strategy is available here.

Notably, the ICO's Guidance was published on the same day as the Italian supervisory authority (the Garante) issued its own guidance on the use of tracking pixels in email communications. The guidance addresses, among other things, transparency and disclosure requirements for organisations using tracking pixels, as well as the circumstances in which prior consent is required for their deployment. For further details on the Italian guidance and its implications for businesses, please see our blog post.