On 18 May 2026, the ICO published its advice to the UK government on potential amendments to PECR's 'storage and access technology' consent requirements, proposing a framework under which certain low-risk online advertising activities could operate without user consent. The advice is the ICO's independent expert input to support the government's consideration of secondary legislation under the new powers introduced by the Data (Use and Access) Act 2025. It is important to note that nothing has changed yet: the existing PECR rules continue to apply, and the ICO has been clear that this is advice to government, not a change in regulatory posture.

The centrepiece of the ICO's report is its "preferred approach": a 'first-party framework' that would allow publishers to store and access limited information on a user's device for specific advertising purposes, without consent, provided appropriate safeguards are in place. The purposes that the ICO considers could be permitted without consent are: 

• Ad delivery
• Targeting (limited forms of; see below)
• Measurement and billing
• Attribution
• Frequency capping
• Brand safety, and
• Ad fraud prevention and detection. 

The ICO's proposals on targeting are perhaps the most instructive in understanding where the boundaries would sit. Under the preferred approach, the use of storage and access technologies for targeting could be permitted without consent only when limited to: 

• high-level device and platform information (device, OS, browser - but not browser version)
• geolocation data abstracted to the city or region level
• temporal information (date and time of day), and
• contextual information, being the content the user is immediately viewing mapped to a broad taxonomy such as 'sports' or 'cycling'. 

ID-based targeting (reaching the same user across multiple interactions, sites or devices), demographic and interest-based targeting (segmenting audiences by traits such as age or gender), and more broadly any form of behavioural advertising involving tracking and profiling, would all continue to require consent.

The practical effect of all this remains to be seen. The ICO acknowledges that its preferred approach "wouldn't revolutionise the online advertising ecosystem" but could provide a way for service providers to deliver online advertising to users who do not consent to behavioural advertising. The benefits are expected to be strongest for mid- and base-tier publishers most constrained by consent rejection, and neutral to modest for top-tier platforms with large market shares of consented data.

Which brings us to an interesting dynamic. The ICO published its guidance on consent or pay models in January 2025, confirming that such models can be compliant with data protection law provided organisations can demonstrate that consent is freely given. Consent or pay now gives publishers a well-trodden route to obtaining consent for the full spectrum of advertising –including more intrusive, behaviourally targeted advertising. If consent or pay models have made it relatively straightforward for publishers to obtain valid consent for more intrusive advertising, there is a question about the coherence of pursuing a consent-free regulatory route for less intrusive advertising. Put differently: 

• Has the cart been put before the horse? Arguably the promotion of privacy-preserving measures should have come first, potentially rendering consent or pay unnecessary in the first place.
• Why carve out exceptions when the industry already has a mechanism for securing consent to do considerably more? The ICO's own answer is that consent or pay isn't viable for every publisher and that consent fatigue is a real cost –but is that sufficient justification for a new legislative exception, or does it simply reflect the limitations of a model that was itself only validated eighteen months ago?

So, the interaction between a consent-based regime for behavioural advertising, a consent or pay framework that legitimises the obtaining of that consent, and a new exception that renders consent unnecessary for less intrusive practices, is not yet fully mapped, and it remains to be seen how this will play out.