惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
量子位
腾讯CDC
The Cloudflare Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
云风的 BLOG
云风的 BLOG
Vercel News
Vercel News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LangChain Blog
aimingoo的专栏
aimingoo的专栏
The Hacker News
The Hacker News
T
The Exploit Database - CXSecurity.com
B
Blog
S
SegmentFault 最新的问题
P
Privacy & Cybersecurity Law Blog
T
Threatpost
博客园 - 聂微东
T
Tailwind CSS Blog
The Last Watchdog
The Last Watchdog
C
Check Point Blog
N
Netflix TechBlog - Medium
D
DataBreaches.Net
爱范儿
爱范儿
IT之家
IT之家
S
Secure Thoughts
M
MIT News - Artificial intelligence
NISL@THU
NISL@THU
C
Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
有赞技术团队
有赞技术团队
A
Arctic Wolf
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
P
Proofpoint News Feed
Spread Privacy
Spread Privacy
Schneier on Security
Schneier on Security
Simon Willison's Weblog
Simon Willison's Weblog
G
GRAHAM CLULEY
雷峰网
雷峰网
Project Zero
Project Zero
博客园 - Franky
H
Heimdal Security Blog
A
About on SuperTechFans
Security Latest
Security Latest
Webroot Blog
Webroot Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Hugging Face - Blog
Hugging Face - Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More

Privacy & Cybersecurity Law Blog

New Hampshire Amends the NHDPA to Prohibit the Sale of Children’s Personal Data Canada’s Proposed Social Media Ban for Children and Chatbot Regulation: Bill C-34’s Impact on Platforms European Commission Unveils Cybersecurity and AI Action Plan European Commission Refers Four Member States to CJEU Over NIS2 Transposition Delays EDPB Opens Public Consultation on New Personal Data Breach Notification Template European Commission Advances New Proposal to Expand Cloud Capacity and AI Infrastructure U.S. Supreme Court FTC Ruling Prompts Fresh Scrutiny of EU-U.S. Data Privacy Framework China Issues New Measures for Network Data Security Risk Assessment China Issues Regulations on Internet Content Multi-Channel Network Distribution Services China’s First Regulatory Framework for Virtual Companions Soon to Take Effect UK Data Protection Complaints Obligations Take Effect Vermont Enacts Significant Amendments to Data Broker Legislation Vermont Becomes 23rd State with Comprehensive Consumer Privacy Law Louisiana Enacts Comprehensive Consumer Privacy Law Connecticut Signs Comprehensive AI Bill into Law China CAC Issues Guidance on Conducting Audits Technology Companies Should Prepare for FTC Enforcement of Take It Down Act HHS Reorganizes Office for Civil Rights Oregon Prohibition on Public Body Disclosures to Data Brokers for Federal Immigration Purposes Now In Effect Connecticut Privacy Law Updates: Data Broker Rules, Geolocation Sale Ban, Surveillance Pricing Restrictions, and Genetic Data Regulations NYDFS Warns of Cybersecurity Risks from Frontier AI Models UK and Australia Announce Memorandum of Understanding on AI Security FTC Announces Settlements With Three Marketing Firms Over Allegations of Deceptive Statements About Active Listening AI-Powered Services Cybersecurity Authorities Issue Joint Guidance on the Adoption of Agentic AI Systems Colorado AI Act Amended and Effective Date Delayed European Commission Releases Draft Guidelines on High-Risk AI Under the EU AI Act Texas AG Announces Lawsuit Against Netflix for Alleged Misrepresentations Regarding User Data UK ICO Recommends Targeted Changes to PECR Rules for Online Advertising California AG Announces Record $12.75M Settlement with GM over CCPA Data Minimization and Purpose Limitation Violations Illinois Department of Human Rights Issues Regulations Governing the Use of AI in Employment Decisions Delta Dental Agrees to $2.25 Million Settlement with NYDFS Over MOVEit Data Breach Response Maryland Enacts First-of-its-Kind Ban on Surveillance Pricing for Grocery Sales CIPL Report Discusses Significant Alignment between GDPR and Global CBPR CalPrivacy Announces the Agenda for its April 30–May 1 Board Meeting CalPrivacy Requests Preliminary Comments on Notices & Disclosures, Employee Data COPPA Rule Amendment Compliance Deadline Approaches House Republicans Introduce Comprehensive Federal Privacy Bill: “SECURE Data Act” Kentucky Classifies Smart TV Data as Sensitive Alabama Becomes 21st State With Comprehensive Consumer Privacy Law CalPrivacy Director Expects CCPA Compliance Audits in 2026 Virginia Bans Sale of Geolocation Data HHS’ Office for Civil Rights Settles HIPAA Investigation of Health Care Software Company New Jersey Enacts New Restrictions on Health Care Facilities’ Use of Patient Data Washington State Enacts Law Regulating AI Companion Chatbots with Private Right of Action Guardrails for Legal AI: What California’s SB 574 Would Require of Attorneys and Arbitrators
UK ICO Publishes Guidance on Storage and Access Technologies
2026-05-05 · via Privacy & Cybersecurity Law Blog

On April 29, 2026, the UK Information Commissioner’s Office (“ICO”) published the final updated version of its guidance on storage and access technologies such as cookies, pixels and similar technologies (“Technologies”). The guidance takes into consideration the requirements of the Privacy and Electronic Communications Regulations, the UK General Data Protection Regulation (“UK GDPR”) and the latest changes introduced by the Data (Use and Access) Act 2025 (“DUAA”).  

The guidance sets out the key obligations for organizations when using Technologies, such as when and how to procure consent, and what information individuals must be provided about the use of Technologies. Much of this information was in the ICO’s previous guidance, but the new guidance has introduced further detail on certain points and included new examples. Notably, the new guidance discusses the changes introduced by the DUAA, i.e., the new exceptions to the requirement to obtain consent for the use of Technologies. The two key exceptions are: (1) the “statistical purposes” exception; and (2) the “appearance” exception.

The “Statistical Purposes” Exception

Under this exception, an organization is not required to procure consent to store or access information using Technologies if the sole purpose of the storage or access is to enable the organization to collect information for statistical purposes: (1) about how a service is used, with a view to making improvements to the service, or (2) about how a website by means of which the service is provided is used, with a view to making improvements to the website. To rely on this exception, an organization must still provide information regarding the purposes for which Technologies are used and a “simple and free” means to object to their use.

According to the ICO, this exception is about the creation of aggregate statistical information about visitors to a service and the use of this information to improve the service, i.e., “essentially for analytics purposes.” The ICO caveats this by confirming the exception does not cover all analytics – it is about how the service is used and not about who uses the service. The ICO acknowledges that such activity may involve the processing of personal data, and in such instances, the organization must comply with the UK GDPR and then aggregate the data. The ICO has prepared a table of non-exhaustive examples of activities that are likely to meet the exception, such as total visits to a service, user interactions with pages on a website and how users reached a service. 

With regard to third-party analytics, the law states that the information collected by Technologies should not be shared with a third party “except for the purpose of enabling that other person to assist with making improvements to the service or website.” The ICO has interpreted this as meaning a third-party analytics provider can be used by an organization subject to: (1) the provider acting on behalf of the organization (i.e., as a processor); and (2) the information only being used to help the organization improve its service.

The “Appearance” Exception

Under this exception, an organization is not required to procure consent to store or access information using Technologies if the sole purpose of the storage or access is to enable the organization to: (1) adapt the way the organization’s service appears or functions in line with the subscriber’s or user’s preference; or (2) otherwise enhance the appearance or functionality of the website when displayed on, or accessed by, the subscriber’s or user’s device. As with the above, to rely on this exception an organization must still provide information regarding the purposes for using Technologies and a “simple and free” means to object.

The ICO highlights that this exception is not about adapting the content to display to a user on a service based on any known or inferred interests. The ICO has prepared a table of non-exhaustive examples of activities that are likely to meet the exception, such as identifying the dimensions of a subscriber’s or user’s monitor or screen to enable reconfiguration of a website to adapt to the monitor or screen and remembering the language the subscriber or user selects.

The ICO also confirmed that it is in the process of updating its guidance relating to online advertising, with updates to follow in the coming weeks.

Read the press release and guidance.