The Information Commissioner’s Office (ICO) has published its final guidance on storage and access technologies, setting out how organisations can comply with the Privacy and Electronic Communications Regulations (PECR) and, where relevant, the UK GDPR.

Storage and access technologies are those that store information (or gain access to information stored) on a user or subscriber’s ‘terminal equipment’, such as web browsers, mobile apps, and connected devices. They include, for example, cookies, tracking pixels, device fingerprinting, and scripts or tags.

The PECR are clear that, subject to limited exceptions, organisations must not deploy storage and access technologies unless they (1) tell subscribers or users what the technologies are; (2) explain what they do; and (3) obtain prior consent for their use.

The guidance expands on what this means in practice, setting out, for example, what constitutes ‘clear and comprehensive’ information that must be provided to users about the purposes for which the technologies are used, and providing practical advice on how to design mechanisms to ensure that consent is properly obtained to the requisite UK GDPR standard.

The ICO also discusses in detail the five exceptions to the general rule that consent must be obtained, focusing particularly on the following three:

1. The ‘Strictly Necessary’ Exception

This applies when the purpose of storage or access is essential to provide the service that the subscriber or user requests, or where it is the only reasonable and proportionate way to comply with the requirements of other legislation.  As the ICO explains, what is ‘strictly necessary’ should be assessed from the perspective of the user, and if the technology is used for any other purpose beyond what is claimed to be strictly necessary, consent must be obtained.

The guidance provides helpful examples of where the exception will not apply (such as  for advertising purposes), as well as those activities which are likely to fall within its scope, including: (a) ensuring the security of terminal equipment; (b) preventing or detecting fraud; (c) preventing or detecting technical faults; (d) authenticating the subscriber or user; and (e) recording information or selections made by the user on an online service.

2. The ‘Statistical Purposes’ Exception

Here, consent is not necessary if the sole purpose of the technology is to collect information for statistical purposes about the use of the service, such as how many people access it, and for how long. Crucially, the guidance points out that the exception is about gathering information about how the service is used, not who uses it, such that it won’t apply to identifying, tracking or monitoring those who use the service. It also reminds organisations that where personal data is collected, they must comply with the UK GDPR, and ensure that information resulting from the storage or access is aggregate statistical information that cannot be used to identify people.

3. The ‘Appearance’ Exception

This exception applies when the sole purpose of the storage and access is either to (a) adapt the way the service appears or functions in line with the user’s preferences, or (b) otherwise enhance the appearance or functionality of a website when displayed on a user’s device.

The ICO makes clear that this exception is “not about adapting the content to display to a user on your service based on known or inferred interests or behaviours about them”, but rather concerns matters such as identifying screen size, or language and display preferences. It will also only apply so long as the user or subscriber is provided with clear and comprehensive information about the purpose of the technology, and with ‘simple and free’ means to object.

In addition to expanding upon these exceptions and setting out helpful practical tips to ensure that organisations comply with the PECR Rules, the guidance also includes the following flowchart explaining the interplay between the UK GDPR and the PECR, making clear that organisations must consider their compliance with the PECR Rules before moving on to look at the UK GDPR:

To read the guidance in full, click here.