In a previous blog, we discussed the UK Information Commissioner’s Office (“ICO”) prioritizing online advertising and cookie banner compliance. Following consultations last Autumn, the ICO finalized its Guidance on the Use of Storage and Access Technologies in April 2026 and updated its Online Tracking Strategy. The ICO has held firm on its enforcement position: organizations must give users meaningful, informed, and easy choices about online tracking, and compliance expectations now extend beyond traditional cookies.
Expanded Scope: Not Just Cookies
The most important shift is definitional. The ICO’s April 2026 guidance emphasizes that the Privacy and Electronic Communications Regulations (“PECR”) applies not only to cookies, but also to a broader category of storage and access technologies (“SATs”), including:
- tracking pixels
- link decoration and navigational tracking
- web storage, including local storage
- device fingerprinting
- scripts and tags
This emphasis reflects the growing use of technological alternatives to cookies. The ICO’s position is straightforward: where a technology stores information, or gains access to information stored in, a user’s device, it is potentially in scope under the PECR, regardless of how it is labeled or deployed. The Data (Use and Access) Act 2025 (“DUA Act”) also clarified that PECR can apply to the collection or monitoring of information automatically emitted by a user’s device.
Consent: Same Standard, New Exceptions
The legal standard for consent remains unchanged, but the ICO’s expectations around implementation have become more exacting. Consent must still be freely given, specific, informed, unambiguous, and signaled through a clear affirmative action. What is new is the level of operational detail the ICO now expects. Among other things, the guidance provides that consent mechanisms must:
- make refusal as easy as acceptance;
- generally offer granular choices by purpose where multiple purposes are involved;
- identify all third parties receiving data;
- function exactly as presented (i.e., no pre-consent firing or misleading design).
PECR now contains five exceptions to the consent requirement. Two are existing exceptions that have been retained:
- Communication: Where the storage or access is solely for transmitting a communication over an electronic communications network; and
- Strictly Necessary: Where the storage or access is strictly necessary to provide an online service requested by the user, such as maintaining a shopping basket, security, fraud prevention or authentication.
Three further exceptions were introduced by the DUA Act:
- Statistical Purposes: Where the storage or access is used solely to collect aggregate statistical information about visitors to improve the service;
- Appearance: Where the storage or access is used solely to adapt the appearance or functionality of a website to the user’s preferences; and
- Emergency Assistance: Where the storage or access is used solely to locate a user in response to a request for emergency assistance.
The new exceptions are narrow, purpose-bound and easy to misapply. The “appearance” exception, for example, is aimed at limited preference-based functionality, such as remembering display or accessibility settings. It is not a permission to personalize content based on a user’s inferred interests or behavior.
Similarly, the statistical purposes exception, which is the exception most relevant to analytics, may apply to aggregated statistical information used to improve an information society service, but it does not extend to user-level tracking or monitoring, advertising-related measurement or attribution, profiling or segmentation, or cross-site or cross-app tracking. Those activities will generally still require consent.
Organizations relying on the statistical purposes or appearance exceptions must still provide clear and comprehensive information and give users a simple means of objecting free of charge. These are not “do nothing” exceptions: they replace consent with transparency and opt-out obligations in limited circumstances.
Why This Matters
The timing matters. The ICO has moved from guidance to active testing and intervention, including its recent review of the UK’s top 1,000 websites. By April 2026, 99% of those websites reportedly met the ICO’s cookie compliance checks in the most recent tests, but the ICO has indicated that it will continue periodic testing of the UK’s top websites and take action against remaining non-compliant organizations.
The risk profile has also changed. The DUA Act aligns the PECR enforcement regime more closely with the UK GDPR, increasing the maximum monetary penalty for PECR breaches to £17.5 million or 4% of annual worldwide turnover. Cookie and tracking compliance should therefore be treated as a board-level compliance issue, not simply a website housekeeping exercise.
Bottom Line and Practical Steps
The ICO’s 2026 updates confirm a clear trajectory: compliance expectations are expanding, not easing. The shift from “cookie compliance” to “tracking compliance” reflects how modern data ecosystems function, and how, by addressing a wider range of SATs, UK regulators are catching up.
In light of these developments, organizations should consider:
- Conducting a full audit of all SATs, not just cookies
- Mapping which SATs require consent, and which may fall within a PECR exception
- Rebuilding consent mechanisms to meet ICO UX expectations
- Reassessing analytics practices against the narrow statistical purposes exception
- Mapping third-party data flows and updating disclosures