On 29 April 2026 — six days ago — the Information Commissioner's Office published its finalised guidance on Storage and Access Technologies. This is the most significant update to UK cookie law in over a decade, and it arrives at a moment when the compliance landscape for UK organisations has been fundamentally reshaped by the Data (Use and Access) Act 2025.
The timing matters. The guidance has been in draft since December 2024, has gone through two full consultation rounds, and now reflects both the ICO's settled regulatory position and the legislative changes introduced by the DUAA. For organisations that have been waiting for final guidance before updating their cookie compliance programmes, the waiting is over.
What the finalised guidance covers
The guidance replaces the ICO's previous detailed cookies guidance and broadens its scope significantly. It now covers all storage and access technologies — not just cookies — including tracking pixels, device fingerprinting, web storage, and tag-based scripts. The ICO's position is that the legal framework applies to the technology's function, not its name, and that organisations cannot avoid PECR obligations by using technologies that perform the same function as cookies while technically not being cookies.
The guidance applies to any organisation that provides online services accessed by people in the UK, whether or not the organisation is based in the UK. This extraterritorial reach — consistent with the UK GDPR's equivalent provisions — means that non-UK organisations with UK users are within scope.
The new consent exemptions under the DUAA
The most immediately practical change for most organisations is the introduction of five new categories of storage and access technologies that are now exempt from the consent requirement under PECR, introduced by the DUAA and effective from 5 February 2026.
The five exempt categories cover technologies used: for the transmission of a communication; to provide a service the user has requested; to collect statistical information about visitors for the purpose of improving the service; to improve or adapt the appearance of the service to a user's preference; and to identify a user who requires emergency assistance.
The practical significance — particularly of the statistical and preference categories — should not be overstated. The ICO's guidance is clear that these exemptions are purpose-limited in a strict sense. Analytics cookies that also feed into advertising targeting do not qualify for the statistical exemption. Preference cookies that also inform personalised advertising do not qualify for the preference exemption. The exemption applies only where the technology is used solely for the specified exempt purpose — any secondary use that falls outside the exemption requires consent.
The new consent exemptions are narrower than they appear. Purpose limitation is the key test. Mixed-use technologies — analytics that also serve advertising, preferences that also inform targeting — still require consent for the non-exempt element.
The ICO has added two new sub-chapters to the guidance specifically addressing questions that arose frequently in the consultation: what does a "simple means of objecting" require in practice, and can the same technology be used for multiple purposes simultaneously. The answers to both questions are operationally significant and should be read carefully by any organisation relying on these exemptions.
The penalty increase: a 35-fold change
The DUAA has aligned PECR penalties with UK GDPR levels. The previous maximum PECR fine was £500,000. From 5 February 2026, the maximum is £17.5 million or 4% of global annual turnover — whichever is higher.
This 35-fold increase in maximum penalty transforms the risk calculus for cookie compliance. What was previously a second-tier compliance obligation — serious but not existential — now carries the same financial exposure as a significant UK GDPR breach. For a mid-size organisation with global turnover of £500 million, a 4% penalty is £20 million. The practical consequence is that cookie compliance must be treated with the same board-level attention as data protection compliance generally.
The ICO has been explicit that its enforcement approach will reflect the new penalty levels. The finalised guidance notes that the ICO is actively monitoring the top one thousand UK websites for compliance and that investigations following the new guidance will be assessed against the new penalty framework.
The expanded scope: "instigation"
The DUAA has also expanded the scope of who is subject to PECR obligations beyond the organisation that directly sets or accesses cookies. The regime now covers organisations that "instigate" the storage of or access to information on terminal equipment.
The practical implication is significant for the adtech ecosystem. An advertiser whose advertising scripts result in third-party cookies being set on a publisher's website may now be within scope of PECR even if it does not itself set those cookies. Publishers who carry third-party advertising scripts that set cookies are within scope as the direct setter. The expanded instigation concept catches those further up the chain who cause the setting to occur.
For organisations that have taken a narrow view of their PECR exposure — "we don't set cookies, our ad partners do" — the DUAA and the finalised guidance require a reassessment of that position.
What remains unresolved: low-risk advertising cookies
The finalised guidance explicitly notes that it "sits separately from our ongoing work to review regulation 6 of PECR for online advertising purposes, on which further updates will follow in the coming weeks." This refers to the ICO's proposed enforcement relaxation for certain low-risk advertising cookies — a proposal that, if finalised, would allow publishers to set some advertising cookies without consent where the privacy risk is assessed as low.
This remains a proposal, not current law. The precise scope of any enforcement relaxation has not yet been determined. Organisations that are planning compliance programmes on the assumption that low-risk advertising cookies will be exempt from consent requirements are getting ahead of the regulatory position. Until the ICO publishes its final position on this question, the current consent requirements remain in force for advertising cookies.
The international dimension also creates a complication. Even if the ICO relaxes enforcement for certain advertising cookies in the UK, the EU's ePrivacy Directive — and its successor framework, still delayed — is not moving in the same direction. Organisations operating across UK and EU markets will face divergent cookie requirements. Compliance programmes designed around the UK's more permissive approach will not be sufficient for EU-facing operations.
The complaints handling requirement: June 2026 deadline
A separate but practically important DUAA requirement comes into force in June 2026: organisations must have a formal data protection complaints procedure in place. This is not a vague obligation — it requires documented processes, assigned responsibilities, defined response timescales, and an audit trail of how complaints are received and handled.
For organisations that currently handle data protection complaints informally — through a shared inbox or a general customer service function — the June 2026 deadline requires formalisation. The ICO has indicated that complaints handling procedures will be assessed in the context of investigations, and that inadequate procedures will be a relevant factor in penalty determinations.
What to do now
Commission a full cookie and technology audit. Map all storage and access technologies in use across your digital estate — not just cookies set by your own code, but all third-party scripts, pixels, and tags loaded by your pages. Assess each against the new exemption categories and identify which require consent that is not currently being obtained.
Review consent mechanisms for the higher penalty environment. Cookie banners designed to satisfy a £500,000 maximum penalty regime may not be adequate for a £17.5 million regime. In particular, review whether your consent mechanism genuinely satisfies the "freely given" requirement — cookie walls that deny access to users who refuse consent are explicitly addressed in the guidance and are unlikely to satisfy the standard.
Assess the instigation risk in your advertising and marketing technology stack. If your organisation relies on third-party ad scripts, review whether those scripts are setting cookies and whether your existing consent framework covers the cookies set by those scripts.
Establish your complaints procedure before June 2026. Document the process, assign responsibility, define response timescales, and create an audit trail mechanism. Do not treat this as a paper exercise — the ICO will assess whether procedures are operationally effective, not just documented.
Monitor ICO updates on the low-risk advertising cookie question. The ICO has indicated that further guidance will follow in the coming weeks. Until that guidance is published, continue applying the current consent requirements to advertising cookies.
The 29 April guidance marks the end of a two-year consultation process and the beginning of a new enforcement environment. Organisations that have been treating cookie compliance as a low-priority tickbox exercise are operating in a different regulatory reality than the one that now exists. The ICO has the tools, the penalty levels, and the stated intention to enforce. The question for compliance teams is not whether to act, but how quickly.