Privacy & Cybersecurity Law Blog

On April 29, 2026, the UK Information Commissioner’s Office (“ICO”) published the final updated version of its guidance on storage and access technologies such as cookies, pixels and similar technologies (“Technologies”). The guidance takes into consideration the requirements of the Privacy and Electronic Communications Regulations, the UK General Data Protection Regulation (“UK GDPR”) and the latest changes introduced by the Data (Use and Access) Act 2025 (“DUAA”).  

The guidance sets out the key obligations for organizations when using Technologies, such as when and how to procure consent, and what information individuals must be provided about the use of Technologies. Much of this information was in the ICO’s previous guidance, but the new guidance has introduced further detail on certain points and included new examples. Notably, the new guidance discusses the changes introduced by the DUAA, i.e., the new exceptions to the requirement to obtain consent for the use of Technologies. The two key exceptions are: (1) the “statistical purposes” exception; and (2) the “appearance” exception.

The “Statistical Purposes” Exception

Under this exception, an organization is not required to procure consent to store or access information using Technologies if the sole purpose of the storage or access is to enable the organization to collect information for statistical purposes: (1) about how a service is used, with a view to making improvements to the service, or (2) about how a website by means of which the service is provided is used, with a view to making improvements to the website. To rely on this exception, an organization must still provide information regarding the purposes for which Technologies are used and a “simple and free” means to object to their use.

According to the ICO, this exception is about the creation of aggregate statistical information about visitors to a service and the use of this information to improve the service, i.e., “essentially for analytics purposes.” The ICO caveats this by confirming the exception does not cover all analytics – it is about how the service is used and not about who uses the service. The ICO acknowledges that such activity may involve the processing of personal data, and in such instances, the organization must comply with the UK GDPR and then aggregate the data. The ICO has prepared a table of non-exhaustive examples of activities that are likely to meet the exception, such as total visits to a service, user interactions with pages on a website and how users reached a service. 

With regard to third-party analytics, the law states that the information collected by Technologies should not be shared with a third party “except for the purpose of enabling that other person to assist with making improvements to the service or website.” The ICO has interpreted this as meaning a third-party analytics provider can be used by an organization subject to: (1) the provider acting on behalf of the organization (i.e., as a processor); and (2) the information only being used to help the organization improve its service.

The “Appearance” Exception

Under this exception, an organization is not required to procure consent to store or access information using Technologies if the sole purpose of the storage or access is to enable the organization to: (1) adapt the way the organization’s service appears or functions in line with the subscriber’s or user’s preference; or (2) otherwise enhance the appearance or functionality of the website when displayed on, or accessed by, the subscriber’s or user’s device. As with the above, to rely on this exception an organization must still provide information regarding the purposes for using Technologies and a “simple and free” means to object.

The ICO highlights that this exception is not about adapting the content to display to a user on a service based on any known or inferred interests. The ICO has prepared a table of non-exhaustive examples of activities that are likely to meet the exception, such as identifying the dimensions of a subscriber’s or user’s monitor or screen to enable reconfiguration of a website to adapt to the monitor or screen and remembering the language the subscriber or user selects.

The ICO also confirmed that it is in the process of updating its guidance relating to online advertising, with updates to follow in the coming weeks.

Read the press release and guidance.