Skip to main content
ComplicerAUDIT GRADE
MethodologyUse casesEU AI ActPricingBlogDocsSign inSTART FREE AUDIT
← JOURNAL
GDPR·APR 29, 2026·9 MIN READ

UK ICO Cookie Guidance 2026: Why Cookies, Pixels, Tags, and LocalStorage Now Need One Audit

BY COMPLICER TEAM

For years, most website compliance work has been framed around one question: "Do we have a cookie banner?"

That question is now too narrow.

On 29 April 2026, the UK Information Commissioner's Office published its final guidance on Storage and Access Technologies, replacing the practical focus on "cookies" with a broader category of technologies that store information on, or access information from, a user's device. The ICO explicitly includes cookies, tracking pixels, link decoration, navigational tracking, web storage, fingerprinting techniques, scripts, and tags.

This matters because many websites can appear "cookie compliant" while still loading analytics scripts, advertising tags, pixels, fingerprinting logic, localStorage identifiers, or URL tracking parameters before valid consent is obtained.

The practical compliance question in 2026 is therefore not:

Do we block non-essential cookies?

It is:

Do we block non-exempt storage and access technologies before consent, and can we prove it?

1. What changed in April 2026?

The ICO finalized its guidance on Storage and Access Technologies, commonly shortened to SATs, after two consultation rounds: one following the December 2024 update to the previous cookie guidance, and another after changes to PECR introduced through the Data Use and Access Act process. The final version also added new sub-chapters on "simple means of objecting" and whether the same technology can be used for multiple purposes.

The most important conceptual change is that the ICO no longer treats "cookies" as the practical boundary of the problem. PECR applies to any technology that stores information on, or accesses information from, a user's terminal equipment. The ICO lists the following examples:

TechnologyCompliance relevance
CookiesClassic browser storage, often used for sessions, analytics, advertising, personalization
Tracking pixelsOften used for ad attribution, email tracking, retargeting, and conversion measurement
Link decorationTracking parameters added to URLs to identify users, campaigns, sessions, or sources
Web storagelocalStorage and sessionStorage identifiers can persist user or device data
FingerprintingDevice/browser attributes can be combined to recognize users without cookies
Scripts and tagsTag managers and third-party scripts can access device/browser information or trigger storage

The ICO's guidance says the PECR rules apply across websites, mobile apps, connected devices, and other environments where storage or access occurs. Where personal data is involved, UK GDPR also applies.

2. Why "cookie compliance" is no longer enough

A website can pass a simple cookie check and still fail a real storage and access audit.

For example:

Website behaviorWhy it matters
No marketing cookies before consent, but Meta Pixel loadsThe pixel may access device information or trigger tracking before consent
Cookie banner blocks cookies, but Google Tag Manager loads ad tagsScripts and tags may initiate non-exempt tracking
No third-party cookies, but localStorage stores a visitor IDWeb storage is covered by the same storage/access logic
No visible cookies, but fingerprinting script collects browser attributesFingerprinting can identify or single out users without cookies
Consent banner works, but URL contains persistent click IDsLink decoration and navigational tracking may still create tracking risk

The key scientific point is that cookies are only one storage mechanism. Modern tracking systems often rely on hybrid identity graphs, where cookies, browser storage, device signals, redirects, URL parameters, server-side events, and tag-manager rules work together.

So a compliance audit must observe actual browser behavior, not just inspect the cookie table.

3. What PECR requires

The ICO explains that PECR Regulation 6 prohibits storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user unless an exception applies. Where no exception applies, the organization must provide clear and comprehensive information and obtain prior consent to the UK GDPR standard.

The ICO states that consent must involve a clear positive action. Continuing to use a website does not constitute valid consent, and neither do pre-ticked boxes or equivalent mechanisms. The user must be informed before consenting, third parties must be clearly named, non-exempt technologies must not fire before consent, refusal must be as easy as acceptance, and users must have controls over non-exempt uses.

That gives us a practical test model:

RequirementTest question
Prior consentDid any non-exempt technology run before the user clicked "Accept"?
Clear informationDoes the banner or policy explain what the technology does and why?
SpecificityAre purposes separated clearly, such as analytics, ads, personalization, security?
Third-party namingAre third parties clearly named before consent?
Refusal parityIs "Reject" as easy as "Accept"?
WithdrawalCan users later change their choice easily?
Technical enforcementDoes the actual browser behavior match the declared consent state?

This last point is where many sites fail. A banner can be legally worded but technically ineffective.

4. Consent is purpose-based, not tool-based

One subtle but important issue is that the same technology can be used for multiple purposes.

For example, a script might support:

PurposePossible compliance status
Session securityPotentially exempt if strictly necessary
Fraud preventionDepends on exact legal basis and exemption scope
AnalyticsUsually requires consent unless a specific exemption applies
Advertising measurementRequires consent
RetargetingRequires consent
PersonalizationDepends on whether requested by the user and whether exempt

The ICO's final guidance added a specific discussion on whether the same storage and access technology can be used for multiple purposes. That is important because organizations sometimes classify a whole script as "necessary" because one function is necessary, even though the same script also performs analytics or advertising functions.

A reliable audit should therefore classify technologies by purpose, not merely by vendor or file name.

Bad classification:

analytics.js is necessary because it helps the website work.

Better classification:

This script performs page analytics and user journey measurement. It is not required to deliver the page requested by the user, so it must not run before consent unless a valid exception applies.

5. Advertising still needs consent

The ICO is very clear on advertising-related storage and access technologies. If a service uses storage or access technologies for online advertising, consent is required. The ICO says online advertising purposes are not exempt from PECR consent requirements, including frequency capping, ad affiliation, ad measurement, performance measurement, click fraud detection, market research, product improvement, or debugging where used for advertising-related purposes.

That is significant because many sites still treat some adtech activities as "functional", "performance", or "legitimate interest".

From an audit perspective, the key question is not what the CMP category says. The key question is what the technology actually does.

Examples of high-risk findings:

FindingWhy it is risky
Ad scripts load before consentNon-exempt advertising technology runs too early
Click IDs stored in localStoragePersistent ad attribution may occur before consent
Ad measurement pixel fires on page loadAdvertising measurement is explicitly not exempt
Third-party ad vendor not namedConsent may not be informed or specific
Reject button does not block all ad callsConsent state and technical behavior do not match

6. Analytics needs careful treatment

Analytics is often misunderstood.

Website operators argue that analytics are useful for improving a service. That may be true, but usefulness is not the same as strict necessity. The ICO's broader SATs approach means analytics-related storage or access must be assessed carefully against the available exceptions and consent requirements. The ICO guidance explains that non-exempt use requires prior consent, and advertising-related measurement is not exempt.

A scientific audit should distinguish between:

TypeExample
Aggregate server-side logsBasic request logs without device access or persistent identifiers
Consent-based analyticsAnalytics tags only loaded after opt-in
Local analytics storageClient-side identifiers stored in cookies or localStorage
Advertising measurementConversion tags, pixels, retargeting, campaign attribution
Product telemetryEvent tracking, heatmaps, session replay, feature usage

The riskiest cases are usually session replay, heatmaps, cross-site analytics, and advertising measurement, because they often involve detailed behavioral tracking and third-party processing.

7. The compliance evidence problem

Most compliance failures are not only legal failures. They are evidence failures.

A company may believe:

Our CMP blocks all marketing tools before consent.

But the browser may show:

A third-party script loads before consent, creates localStorage entries, fires a network request, and sends device metadata to an analytics endpoint.

This is why storage and access compliance should be tested using controlled browser states:

StateWhat to test
Fresh visitor, no choiceWhat fires before any consent decision?
Reject allWhat remains after refusal?
Accept allWhat fires after full consent?
Granular consentDo analytics, ads, and personalization behave separately?
WithdrawalAre previously accepted tools stopped after consent is changed?
Return visitIs the stored consent state respected?

The audit should collect evidence from multiple layers:

Evidence layerWhat it proves
CookiesName, domain, expiry, category, creation timing
localStorage / sessionStoragePersistent or session identifiers outside cookies
Network requestsThird-party calls, pixels, APIs, tracking endpoints
Scripts and tagsWhich code executes before and after consent
Consent stateCMP choice, consent string, category settings
ScreenshotsWhat the user was shown at the moment tracking occurred
TimingWhether storage/access happened before or after consent

This matters because regulators and internal legal teams need reproducible proof, not assumptions.

8. Dark patterns still matter

Technical blocking is not enough if the consent interface manipulates the user.

The EDPB's deceptive design pattern guidance focuses on user interfaces that push people into unintended, unwilling, or harmful decisions about personal data. Although the EDPB document is framed around social media platforms, its principles are relevant to consent interfaces generally: lawfulness, fairness, transparency, data protection by design, and avoiding manipulative design choices.

For cookie and SAT banners, common risk patterns include:

PatternExample
False hierarchy"Accept all" is bright and primary, "Reject" is hidden or grey
ObstructionReject requires several clicks, accept requires one
Ambiguous wording"Continue" or "OK" is used instead of clear consent choices
PreselectionOptional categories are enabled by default
Forced consentAccess is blocked unless the user accepts non-essential tracking
Misleading categoriesAdvertising tools placed under "functional" or "necessary"

The ICO also states that users must be able to refuse non-exempt storage and access as easily as they can accept it.

9. What a modern SAT audit should include

A strong audit should not be a static cookie list. It should be a reproducible browser experiment.

Minimum audit methodology

StepAction
1Open the page in a clean browser profile
2Capture all cookies, localStorage, sessionStorage, IndexedDB where relevant
3Capture network requests before consent
4Detect third-party scripts, pixels, tags, and redirects
5Save screenshot of the initial banner
6Click "Reject all" and repeat storage/network capture
7Click "Accept all" and repeat capture
8Compare differences across states
9Map each technology to purpose and vendor
10Flag technologies that fire before consent without a valid exception

Stronger audit methodology

For higher-risk sites, add:

Advanced checkWhy it matters
Multiple page typesHome, article, product, checkout, login, search, video page
Mobile and desktopMobile layouts often use different banners and scripts
Geo testingEU/UK/US visitors may see different consent behavior
Repeat visitsStored consent states can produce hidden failures
Tag manager inspectionGTM and similar systems can trigger hidden vendors
URL parameter testingLink decoration may appear only on campaign URLs
Video player testingEmbedded video often loads third-party trackers
Ad slot testingAdvertising scripts may fire only on monetized templates

This is especially important for media websites, e-commerce, SaaS landing pages, and lead-generation sites.

10. Practical checklist for website owners

Use this as a fast internal review.

Pre-consent

QuestionPass condition
Do non-essential cookies appear before consent?No
Do pixels fire before consent?No
Do analytics calls fire before consent?No, unless validly exempt
Does localStorage contain user/session/tracking IDs before consent?No, unless validly exempt
Do ad scripts load before consent?No
Are third-party vendors named before consent?Yes
Is "Reject" as easy as "Accept"?Yes
Are optional categories off by default?Yes

Reject state

QuestionPass condition
Are advertising requests blocked?Yes
Are analytics tags blocked unless validly exempt?Yes
Are localStorage tracking IDs removed or not created?Yes
Are pixels blocked?Yes
Is the rejection stored correctly?Yes
Does the site remain usable?Yes, except for optional features that truly require consent

Accept state

QuestionPass condition
Are technologies loaded only after consent?Yes
Are purposes consistent with the banner description?Yes
Are vendors consistent with the vendor list?Yes
Can the user withdraw later?Yes
Does withdrawal stop future non-essential tracking?Yes

11. Common failure examples

Failure 1: "Reject all" does not reject all

The banner offers a reject button, but network logs show advertising or analytics requests after rejection.

Why it matters: Consent is not only a UI state. It must control actual execution.

Failure 2: localStorage is ignored

The site blocks cookies but stores a persistent visitor ID in localStorage.

Why it matters: PECR is technology-neutral. Web storage is explicitly covered by the ICO's SATs guidance.

Failure 3: Tag manager loads too early

The site blocks known vendor cookies, but the tag manager itself loads before consent and triggers third-party requests.

Why it matters: Scripts and tags are included in the ICO's SAT scope.

Failure 4: Advertising measurement is classified as analytics

Conversion pixels or campaign attribution tools are placed in a "performance" or "analytics" category and run before consent.

Why it matters: The ICO states that advertising-related purposes, including ad measurement and performance, are not exempt.

Failure 5: The vendor list does not match reality

The privacy policy names five vendors, but the browser contacts fifteen third-party domains.

Why it matters: Consent must be informed and specific. The ICO says third parties must be clearly and specifically named where their storage and access technologies are used.

12. What this means for compliance teams

The April 2026 ICO guidance pushes compliance teams toward a more evidence-based model.

A modern compliance program should maintain:

ArtifactPurpose
Storage/access inventoryList of cookies, storage entries, pixels, scripts, tags, vendors
Purpose classificationNecessary, analytics, advertising, personalization, security, etc.
Consent-state evidenceBefore consent, reject, accept, withdrawal
Vendor mapDomains, processors, third parties, data destinations
Technical controlsCMP rules, tag-manager rules, script blocking
Audit logsTimestamped proof of what happened in the browser
Regression checksMonitoring when a new vendor or script appears

The practical goal is not just to configure a CMP once. The goal is to detect drift.

Marketing teams add new pixels. Product teams add analytics. Developers add A/B testing tools. Ad ops changes tags. Video players introduce new vendors. Without recurring scans, compliance decays.

Conclusion

The ICO's April 2026 guidance confirms what browser evidence has shown for years: cookie compliance cannot be reduced to a cookie banner.

The real compliance boundary is broader:

Any technology that stores information on, or accesses information from, the user's device must be assessed, classified, controlled, and evidenced.

That includes cookies, pixels, localStorage, sessionStorage, scripts, tags, fingerprinting techniques, link decoration, and tracking requests.

For website owners, the practical lesson is simple:

Do not audit only the banner. Audit the browser.

A compliant website should be able to prove what happens:

  1. before consent,
  2. after rejection,
  3. after acceptance,
  4. after withdrawal,
  5. across page types,
  6. across devices,
  7. across real third-party vendors.

In 2026, "we have a cookie banner" is no longer a convincing compliance answer.

The better answer is:

We have evidence that non-exempt storage and access technologies do not run before valid consent.

Sources

  1. ICO, Final storage and access technologies guidance published, 29 April 2026.
  2. ICO, Guidance on the use of storage and access technologies, finalised 29 April 2026.
  3. ICO, What are storage and access technologies?
  4. ICO, What are the PECR rules?
  5. ICO, What are the exceptions?
  6. UK legislation, PECR Regulation 6.
  7. EDPB, Guidelines 03/2022 on deceptive design patterns in social media platform interfaces.
NEXT STEP

Ready to automate your compliance?

Complicer scans your website, identifies compliance issues, and generates evidence packages — all in under 5 minutes.

START FREE AUDIT →
ComplicerAUDIT GRADE

Outcome-driven GDPR compliance — banners that actually work, evidence you can show your auditor.

GDPR-ALIGNED · SHA-256 · Ed25519 · EU-W1
PRODUCT
Free scanUse casesMethodologyEU AI ActPricingDocsBlog
COMPANY
ContactSecurity
LEGAL
PrivacyTermsComplaint
EVIDENCE CHAIN INTACT · SHA-256 · Ed25519 · RFC 3161-READY© 2026 COMPLICER