UK ICO finalizes tracking technologies guidance to focus enforcement on advertising-related cookies

The UK Information Commissioner's Office published its finalized guidance on “storage and access technologies” (SATs) for websites and apps on April 29, 2026, alongside an update to the regulator's online tracking strategy.

• The guidance replaces the old "cookies guidance" and now expressly covers cookies, tracking pixels, device fingerprinting, web storage, scripts, tags, and link decoration
• Five new consent exceptions under the Data (Use and Access) Act's (DUAA) Schedule A1 to PECR recently took effect
• New DUAA penalties of up to £17.5 million or 4% of global turnover under Regulation 6 of PECR have applied since February

What changed?

First, the ICO dropped its cookies-focused vocabulary. 

Regulation 6 of PECR was always technology-neutral, but many have treated it as a cookies regime. The rebranding reflects how modern tracking actually works: Pixels, scripts, fingerprinting, and link decoration all fall squarely in scope.

The substantive change is the new chapter on consent exceptions. 

Five categories of storage or access can now be carried out without consent. Of these, the analytics exception is the one most organizations will focus on.

How narrow is the analytics exception?

Very narrow. The “statistical purposes” exception is real, but the ICO's interpretation is strict. 

First-party analytics used purely to understand how visitors interact with a service, and purely to improve that service, can be deployed without consent. But:

• The data collected must be used for that sole purpose, with no permitted secondary use (such as feeding data to advertising, profiling individuals, building cross-site or cross-device profiles)
• The output must be aggregate statistical information that cannot identify individuals
• If an analytics provider is involved, that provider must be a processor (not a joint controller), must only use the data to improve your service, and must not link it to data from other sources.

Even where the exception applies, organizations must still provide clear information about the technology and offer a simple means of objecting.

What about multipurpose tags?

The ICO is clear: if you rely on an exception for one purpose and need consent for another, you cannot collapse them into a single deployment and call it exempt. 

Either separate the technologies or get consent for everything.

What should privacy teams do?

• Identify every tag, pixel, SDK, and tracker on your site. 
• Map each one to a single, specific purpose. 
• Check whether that purpose maps cleanly to one of the five exceptions. 
• Confirm that you have technical measures in place to enforce purpose limitation.

Anything that touches advertising or profiling still requires consent.

Key takeaways

• Establish robust digital tracking governance to track all personal data elements shared and all third parties receiving personal data
• Continuously audit websites and apps to ensure that user consent is actually honored and no sensitive data is shared
• Run data protection assessments for any processing of personal data for targeted advertising, selling of personal data, or processing of sensitive data

Reduce your privacy enforcement risk with Privado AI solutions that continuously monitor privacy compliance on websites and apps, where companies have the most risk. Web Auditor and App Auditor are the most comprehensive solutions to verify in real-time that your websites, apps, and CMP are compliant with all applicable privacy requirements for each location, including your privacy policies.