On 29 April 2026, the UK Information Commissioner’s Office (“ICO”) updated its guidance on the use of storage and access technologies (i.e., cookies and other technologies that store or access information stored on users’ devices) under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (“PECR”). These updates follow on the heels of two public consultations about the clarity of this guidance. We set out details of three of the most relevant updates for private companies below.

Perhaps the most interesting element of the updated guidance, however, is an indication that the ICO is intending to follow through on its plan to enable the use of information storage / access technologies for “privacy-preserving” advertising purposes without consent. The ICO has not made explicit changes to its guidance, and the consultation response reiterates that the use of information storage / access technologies for online advertising—including related activities like frequency capping and ad measurement—currently requires consent under Regulation 6 of PECR. However, the ICO states that it will soon submit evidence to the UK Government on advertising-related activities that could be exempt from the PECR consent requirement, which the Government may then use to amend PECR to introduce statutory exemptions. It remains to be seen what the ICO will propose, but this could make it easier to engage in certain ad-related activities in the UK.

The actual updates to the ICO’s guidance are limited to making clarifications and do not fundamentally change the ICO’s approach. Three clarifications are worth calling out:

1. The ICO emphasises that controllers must assess whether information storage / access is “strictly necessary” from the user’s point of view. The ICO’s position is consistent with that of EU data protection authorities, that the strictly necessary exemption only applies to services the user has “explicitly requested.” This means that the necessity assessment must be from the user’s point of view rather than the organization’s. In practice, this would mean that an organization cannot argue, for example, that information storage / access is “strictly necessary” if it is necessary to ensure that the service is adequately funded.
2. The ICO expressly states that tracking pixels used for affiliate marketing require consent. The ICO has added an additional example of a situation where tracking pixels require consent in the context of affiliate marketing. Specifically, the guidance states that an affiliate marketer needs consent to use a pixel to track clicks on affiliate links and conversions (to attribute sales to those clicks). Requiring consent for these pixels is consistent with the ICO’s overall approach to the use of information storage / access technologies for ad measurement and attribution, but is a new express statement of its position in relation to affiliate marketing specifically.
3. The ICO states that certain exceptions from the consent requirement do not apply where information storage / access technologies are used for multiple purposes. The ICO has added a section to its guidance stating that organizations may not be able to rely on certain exemptions from the PECR consent requirement where information storage / access technologies are used for multiple purposes. In particular, it notes that certain exceptions, including the exception that applies where data collected using information storage / access technologies is anonymized and used for “statistical purposes,” applies where a storage / access technology is used for that “sole” purpose. The ICO therefore now states that “the exceptions only apply where the storage or access is carried out for that purpose, as opposed to any other purpose at the same time.” This may make it harder to rely on certain exceptions under PECR where an organization uses a single technology for multiple different purposes.