New Exceptions For Non-intrusive Cookies: The ICO's Updated Guidance Has Landed

Changes to the rules governing the use of cookies and similar technologies came into force on 5 February 2026.

While the new legal requirements have been in effect for some months, the Information Commissioner's Office (ICO) has now published detailed guidance on storage and access technologies, providing much needed clarity on how to apply the rules in practice. This guidance will be of particular interest to businesses that run websites or apps, as well as to web and app developers, as it sets out the ICO’s expectations on compliance and enforcement.

What has changed?

The Data (Use and Access) Act 2025 (DUAA) introduces several changes aimed at streamlining data protection laws to make compliance easier while maintaining robust privacy standards. Many of these changes came into force on 5 February 2026, including changes to rules governing the use of storage and access technologies (which includes cookies).

Regulation 6 (and Schedule A1) of the Privacy and Electronic Communications Regulations 2003 (PECR) provides that organisations must not store or access information in the terminal equipment (such as a laptop or mobile device) of a user unless they tell users about the purpose of the storage and access and the user provides consent.

Before the DUAA changes came into force, only the following exceptions to that rule applied:

• Communication: Where the sole purpose of the storage or access is for the transmission of a communication
• Strictly necessary: Note that the exception only applies to 'information society services' (ISS) which are services delivered over the internet, for example the supply of goods online or an online service. Businesses need to check the relevant service is an ISS to benefit from the exception.

DUAA has made changes to PECR, to introduce 3 new exceptions where consent for certain low risk cookies is not required:

• Statistical: This exception only applies if the business is an ISS provider by means of a website
• Website appearance: Where the sole purpose of the storage or access is to remember viewing preferences. This exception only applies if the business is an ISS provider by means of a website
• Emergency assistance: Where the sole purpose of the storage or access is to ascertain user locations with a view to providing emergency assistance.

For the statistical and website appearance exceptions, PECR provides that the user must be given a simple and free of charge means of objecting to the storage and access.

These new grounds may encourage businesses to review their use of storage and access technologies and cookie banners to make sure they are compliant with the updated PECR and ICO guidance.

What guidance has the ICO issued?

The ICO has published updated guidance on storage and access technologies (this guidance was previously known as the 'detailed cookies guidance'). The updated guidance reflects the changes introduced by DUAA as well as the outcome of two consultations on the topic of cookies and the new exceptions. The press release which accompanied the guidance acknowledges that online service providers need regulatory certainty so they can innovate responsibly.

So what did the consultations about the updates to the storage and access technologies guidance reveal? According to the ICO's summary, there were 70 responses across the two consultations. Respondents to the consultation said the ICO's guidance would benefit from more examples showing how storage and access technologies are used in practice. They asked for more developed examples on tracking pixels and how they work in an affiliate marketing context. They also asked for more clarity on when the strictly necessary exception applies and more detail about managing consent.

The guidance is separate to the ICO's review of the PECR regulation 6 consent requirements, concerning the use of storage and access technologies for online advertising purposes. The ICO has recently published its findings as advice to government.

What new themes does the guidance cover?

The updated guidance incorporates feedback from the two rounds of consultation and includes the following key updates:

• New exceptions: New detailed guidance on the three new exceptions with non-exhaustive examples of activities that are likely to meet each exception and two practical case studies for the statistical purposes exception
• How to object: The statistical and website appearance exceptions say that users must be given a means of objecting to the storage or access. The updated guidance contains a new sub-chapter covering this topic. It says that PECR does not define what is meant by a simple means of objecting and notes that this could be provided through the existing consent mechanism. The practical answer here is for businesses to have their statistical and website appearance toggles defaulted to on but with an ability for users to switch them off at any time. Where someone does object, businesses must stop storing or accessing information on their device
• Multiple purposes: The guidance explains that the five exceptions are purpose specific. You don't need to get consent if all the purposes, for which you are storing or accessing information on a user's device, meet the same exception. The new statistical, website appearance and emergency assistance exceptions only apply where the storage and access is for the 'sole purpose' detailed in the relevant exception. The guidance explains that in practice it might be easier to achieve PECR compliance by using a separate storage and access technology for each purpose
• Tracking pixels: An explanation of what they are and two examples of when regulation six applies to the use of this technology. Tracking pixels are caught by regulation 6 when they store information, or gain access to information stored, on a user's device
• Strictly necessary: The guidance has been expanded to explain that the strictly necessary exception must be assessed from the user’s perspective. What is considered 'strictly necessary' will inherently depend on that perspective
• Refreshing consent: The ICO recommends six months in general terms as a sensible interval for requesting user consent for storage and access technologies again, especially where the user previously declined consent. However PECR and UK GDPR do not set time limits on consent and you may need to refresh consent more frequently if there are changes to the purposes or activities. The updated guidance explains the need to balance repeated consent requests with making sure user choices are up to date
• More case studies: The updated guidance includes more examples showing how storage and access technologies are used in practice. This includes an illustration of the circumstances in which a smart watch with fall detection functionality may fall within the new emergency assistance exception.

Why is it more important than ever to get cookies compliance right?

DUAA has brought enforcement powers under PECR, including fines, in line with UK GDPR. This is a significant change. Previously PECR fines were limited to a maximum of £500,000. Now, however, they are subject to a maximum of £17,500,000 or 4% of an undertaking's total worldwide annual turnover, whichever is higher.

We also know that enforcement of cookies usage is a priority for the ICO. During 2025 the ICO rolled out an online tracking strategy which included a review of cookies usage to make sure the UK's top 1,000 websites are compliant with data protection law. The ICO's latest press release makes it clear that its work and interventions in this space will continue.