Clycyo
Privacy & GDPR5 min read

UK PECR and Analytics: The Rules After Brexit

PECR sits beside UK GDPR and governs analytics storage and access. What the ICO says, and how cookieless measurement fits.

Post-Brexit Britain kept both halves of the European privacy architecture under new names: UK GDPR (the data-protection layer) and PECR (the ePrivacy layer governing cookies and device access). For analytics, PECR is the binding constraint — and the ICO's reading of it is stricter than most site owners assume.

The PECR rule that matters

Regulation 6: storing information on a user's device, or accessing information already stored, requires consent — unless strictly necessary for a service the user requested. The ICO has been explicit that analytics cookies are not 'strictly necessary': useful to you is not essential to the user. UK sites running cookie-based analytics without prior consent are non-compliant, full stop, and the ICO's 2023–24 enforcement push against major sites' banners made the point publicly.

What this means by setup

  • GA4 or any cookie-based tool: consent banner required before the tag fires — with the data loss that implies. 'Legitimate interests' does not rescue you; PECR's consent rule operates independently of UK GDPR's lawful bases.
  • Cookieless measurement: a tracker that neither stores identifiers on the device nor reads stored information for identification falls outside Regulation 6's trigger — no PECR consent needed. The remaining UK GDPR analysis (is any personal data processed, e.g. IPs in transit?) is the light-touch part, handled by minimization and a sentence in the privacy notice.

The ICO's direction of travel

Worth knowing: the ICO has signaled openness to a future carve-out for genuinely privacy-respecting, low-risk analytics — draft guidance has floated distinctions between intrusive tracking and basic audience measurement. Until legislation lands, the safe harbor is architectural: measure without touching the device's storage. (The EU-side equivalent arguments live in the ePrivacy explainer.)

Practical checklist for UK sites

  1. Inventory what your current tags store and read — the PECR question is mechanical, not philosophical.
  2. If analytics is the only banner driver, switching to cookieless deletes the banner lawfully — UX and data completeness recovered in one move.
  3. Keep the privacy notice current: PECR exemption does not exempt you from transparency.