The ICO has issued a consultation on draft updated guidance on storage and access technologies. 

Previous forms of this guidance have been labelled as guidance on the use of 'cookies and similar technologies', but it seems from the title of this updated guidance that the ICO may be shifting to a (slightly) more technical approach to examining compliance with so-called 'cookie consent' requirements contained in the Privacy and Electronic Communications Regulations 2003 (PECR), as it looks to emphasise that the law technically applies to any technology (not just cookies') that stores information, or accesses information stored, on a subscriber or user's 'terminal equipment'.

Unlike recently updated EDPB guidance in this area, the updated guidance covers a broad range of topics and is not limited to consideration of the technical scope of PECR, i.e. what technologies are caught by PECR's consent requirements (when will a technology involve 'storage or access'?). Amongst other hot topics, the guidance also includes interesting commentary on using technologies for analytics and online advertising purposes. 

However, as the technical scope of PECR is a fundamental question, the ICO has updated its guidance on this point. Unsurprisingly, technologies such as cookies, tracking pixels, scripts and tags, and fingerprinting techniques are caught, but the updated guidance now makes clear that 'link decoration and navigational tracking' (adding extra information to the URL in a link that someone clicks on, often for advertising measurement purposes) is caught because "the browser loads the requested resource". 

The upshot is that the ICO – like the EDPB – seems to take a broad view of when a technology will involve storage or access. If you think the technology you're assessing might involve access or storage – it probably does.

And, as to exemptions, no doubt many will be wondering if the ICO is willing to treat analytics (and possibly some non-intrusive online advertising technologies, such as those used to measure the effectiveness of advertising campaigns or to frequency cap the number of times an ad is shown to a user) as exempt. If not exempt, might the ICO take a relaxed approach to enforcement – after all the current guidance says that analytics technologies are "unlikely" to be a "priority for any formal action" by the ICO, provided there is a low level of intrusiveness. 

However, any hopes will be dashed as the ICO says:

• Organisations must obtain consent for all analytics purposes, as these technologies cannot be considered strictly necessary for the provision of the service, including tracking of users based on their IP address.
• Online advertising purposes, including any advertising-related purpose, including ad measurement and frequency capping, are not exempt.

The ICO also sets out clear expectations for consent management platforms (CMPs) and consent banners. Unsurprisingly, the ICO expects there to be a 'reject all' option upfront, and the ICO also expects organisations to offer granular options for different purposes (types of technology, e.g. analytics, advertising, etc.), amongst other requirements. 

Unfortunately the new guidance does not expand on the ICO's views on whether 'consent or pay' models (consent or pay to use the service) are compliant – the ICO says specific guidance will follow early this year – but the ICO does make clear that 'cookie walls' (consent or do not access the service / the 'take it or leave it' approach) are likely to be non-compliant because users do not have a genuine free choice.

So, it is clear that the ICO will take a narrow view of the exemptions that may apply, at least from a technical perspective, and the bar is set high for obtaining valid consent. 

Whether the ICO may in practice take a more relaxed approach for some non-intrusive uses of these technologies without consent remains to be seen; the new guidance does not contain any express statements from the ICO (unlike the current guidance, as referred to above), but at the end of the new guidance does (somewhat reassuringly) indicate, in line with the ICO's Regulatory Action Policy, that the level of intrusiveness will be a factor where the ICO considers formal enforcement action, and the ICO expressly says that monetary penalties will be reserved for the most serious infringements of PECR.

The consultation runs until 14 March 2025 – if you're thinking of responding or want to discuss the potential implications of this guidance, please get in touch.