Skip to main content

Clifford Chance

Clifford Chance
All
Data<br />

Data

Talking Tech

UK ICO's updated guidance for new exceptions to cookie consents: under consultation

Data Privacy 12 September 2025

The UK Information Commissioner's Office (ICO) has several draft guidance documents open for consultation in September 2025. We've written a series of short overviews of some of this draft guidance – our overview page can be used to navigate to other summaries: Draft ICO guidance and consultations: September update.

Some of this guidance, alongside other guidance that is anticipated in the ICO's pipeline, will form an important part of understanding how to apply the Data Use and Access Act 2025 (DUA Act). (See also our briefing: UK Data Reform: What you need to know about the Data (Use and Access) Act.)

This article relates to a new chapter within the draft updated Guidance on Storage and Access Technologies (previously known as the 'cookie guidance'). The consultation on this draft guidance closes on 26 September 2025  and responses can be submitted here.

Overview

The ICO has made a number of changes to its guidance on storage and access technologies, including adding a new chapter called "What are the exceptions?" which reflects the DUA Act's introduction of new exceptions under Privacy and Electronic Communications Regulations (PECR) for certain low-risk cookies.

Under PECR, consent is required for the storage of, or access to, information within terminal equipment (e.g., phones, browsers) via cookies or other similar technologies, with very limited exceptions. Pursuant to s.112 of the DUA Act, consent will not be required for storage or access for the following purposes:

  • statistical purposes – gathering information about how a website or digital service is used in order to make improvements to the website or service;
  • adapting appearance or function of a service line with user's preferences or of a website when displayed on the user's device – e.g., authenticating a repeat user of a digital service or repeat visitor to a website and/or maintaining a record of settings or preferences that such user has set;
  • strictly necessary for provision of a service requested by the user – e.g., preventing or detecting fraud in connection with, or technical faults when providing, the service, or automatically authenticating the identity of the user; 
  • emergency assistance – to find the geolocation of the user of a device to provide emergency assistance to the individual.

The draft new chapter in the ICO guidance includes examples of activities that are likely to meet the new exceptions and highlights the conditions that need to be met in order to reply on the exemption (e.g., in some cases individuals must be provided with certain information and be offered an opt-out).

This consultation is running in parallel with a call for views that the ICO recently closed in relation to its approach to regulating online advertising, which formed part of the ICO's exploration of whether a risk-based approach to enforcing PECR could allow publishers to deliver online advertising to users who have not granted consent, where there is a low risk to their privacy. The opinions that were received in the call for views may inform the ICO's input into secondary legislation that the Secretary of State is empowered under the DUA Act to introduce to amend the PECR rules to create new exceptions to consent requirements. The ICO plans to publish a statement in early 2026 regarding the advertising activities that are unlikely to trigger enforcement action under the PECR, believing this will "enable new approaches to online advertising to scale-up".

Key takeaways

Organisations that are subject to UK data protection law should:

  • Consider whether they use (or would like to use) the types of storage and access technologies that will no longer require consent under PECR and, if so, whether to stop requesting consent for these. Remember that consent requirements differ under EU's e-Privacy Directive, which could complicate consent mechanisms for organisations that are subject to both the EU and UK laws.
  • Consider whether to respond to the consultation (which closes on 26 September 2025). 
  • Monitor the DUA Act commencement regulations as they are made, to understand when these consent exceptions will become applicable.
  • Monitor the ICO's website for the final version of this guidance and for the anticipated ICO statement regarding its approach to enforcement in relation to certain advertising activities. The degree to which to rely on any statements in this regard will require strategic discussions within an organisation, in particular given that the DUA Act is set to introduce GDPR-level fines for PECR.

Toolkits & Client Log-in