Written by: Haim Ravia, Dotan Hammer
The UK Information Commissioner’s Office (ICO) has announced the finalization of its updated guidance on storage and access technologies, signaling a new era of strict enforcement for digital privacy rules. The update comes alongside a complete overhaul of the enforcement regime governing the Privacy and Electronic Communications Regulations (PECR), granting the regulator powers equivalent to those under the UK GDPR.
The shift in enforcement strategy is a direct consequence of the Data (Use and Access) Act, which became law in June 2025. This legislation ensures that the PECR enforcement regime now aligns with the Data Protection Act 2018, allowing for more aggressive intervention in cases of corporate non-compliance. While the ICO maintains that formal action will remain a proportionate response, the regulator has confirmed that monetary penalties will be reserved for the most serious infringements of the rules.
A central pillar of the finalized guidance is the strict requirement for informed consent regarding cookies, pixels, and device fingerprinting. Organizations must now provide “clear and comprehensive information” about why they are accessing a user’s terminal equipment—including desktops, mobile phones, and IoT devices—and obtain prior consent that is freely given and specific. The guidance explicitly forbids “pre-enabling” non-exempt tracking technologies or relying on silence and inactivity as a form of agreement. Furthermore, any consent mechanism must make it just as easy for a user to refuse tracking as it is to accept it.
The ICO also clarified the narrow scope of exemptions to the consent rule. Technologies that are “strictly necessary” to provide a service requested by a user—such as remembering items in an online shopping basket—remain exempt. Exceptions for “statistical purposes” and “appearance” are also included to allow for service improvements and user preferences, but only if organizations provide users with a clear and simple means of objecting to the activity.
Click here to read the ICO’s new guidelines on cookies and tracking technologies.
