PECR Compliant Web Analytics

The Privacy and Electronic Communications Regulations 2003 (PECR) implement the EU ePrivacy Directive in UK law and sit alongside the UK GDPR and Data Protection Act 2018 to regulate how organizations use cookies, similar technologies, and electronic communications. PECR Regulation 6 is the provision most relevant to web analytics: it requires informed consent before storing or accessing information on a user's terminal equipment. This is the legal basis for cookie consent banners on UK websites. The ICO (Information Commissioner's Office) has actively enforced PECR, issuing guidance that makes clear analytics cookies require consent unless they fall under the "strictly necessary" exception — and analytics cookies have been explicitly stated as not strictly necessary. Enforcement has included warning letters, enforcement notices, and fines. The regulation applies to any organization providing services in the UK, regardless of where they are based. ActionLab is PECR compliant because it uses no cookies or persistent storage technologies that trigger Regulation 6, and it collects no data that would constitute personal data under the companion UK GDPR provisions.

Compliance Summary

ActionLab Analytics is PECR-compliant out of the box. Because ActionLab uses no cookies, collects no personal data, and never tracks users across sites, most PECR requirements simply don't apply. No consent banners needed, no DPA required, no data processing agreements to negotiate.

Jurisdiction: United Kingdom|5 requirements covered|No consent banner needed

PECR Requirements

Jurisdiction: United Kingdom

  • Consent before storing or accessing information on user devices — PECR Regulation 6 requires prior informed consent before setting cookies or using similar technologies, with limited exceptions for storage that is strictly necessary for the service requested by the user.
  • Clear and comprehensive information about cookie purposes — organizations must provide clear, accessible information about what cookies do, what data they collect, and how that data is used before requesting consent.
  • Consent must be opt-in, not pre-checked — consent mechanisms must require an active positive action from the user, and pre-ticked boxes or implied consent from continuing to browse are not valid under ICO guidance.
  • Exceptions for strictly necessary cookies only — the ICO has made clear that analytics cookies are not strictly necessary for providing a service requested by the user, so consent is required even for first-party analytics cookies.
  • Regular review of cookie compliance — organizations must periodically audit the cookies on their website, update their cookie policies, and ensure consent mechanisms remain compliant with current ICO guidance.

How ActionLab Complies with PECR

Consent for device storage

ActionLab uses sessionStorage, not cookies. sessionStorage is a Web Storage API that is scoped to a single browser tab, non-persistent, and automatically cleared when the tab closes. It does not persist between visits, cannot be accessed across tabs or domains, and does not enable cross-visit tracking. The ICO enforcement of Regulation 6 has focused on persistent cookies and similar technologies that track users across visits. sessionStorage does not meet the definition of persistent tracking technology, and the ICO has not taken enforcement action against sessionStorage-based analytics that collect no personal data.

Cookie information

No cookie information disclosure is needed because no cookies are used. ActionLab does not set first-party cookies, third-party cookies, or any persistent storage. Your cookie policy can explicitly state that your analytics tool uses no cookies, simplifying the disclosure requirements that PECR imposes.

Opt-in consent

No opt-in consent mechanism is needed because no consent-requiring technology is used. There are no cookies to consent to, and the sessionStorage used by ActionLab is non-persistent and contains no personal data. This eliminates the need for cookie consent popups, preference centers, and consent management platforms for analytics.

Strictly necessary exception

ActionLab does not need to rely on the strictly necessary exception (Regulation 6(4)) because it does not use cookies at all. The question of whether analytics are "strictly necessary" — which the ICO has answered in the negative for cookie-based analytics — does not arise when no cookies are used.

Summary

ActionLab Analytics is compliant with PECR by design. Because no personal data is collected, no cookies are used, and no cross-session tracking occurs, the compliance burden associated with analytics is eliminated entirely. You do not need consent banners, data processing agreements, or complex configuration to use ActionLab in United Kingdom.

Practical PECR Compliance Guide

For UK website owners, PECR compliance for analytics is straightforward when you understand the regulatory structure. PECR Regulation 6 requires consent before storing information on a user device, with the "strictly necessary" exception not applying to analytics. The ICO has been increasingly clear in its guidance: analytics cookies require consent, period. The ICO cookie audit tool explicitly flags analytics cookies as requiring consent. This means if your analytics tool uses cookies, you need a consent banner, a cookie policy, and a consent mechanism that meets the opt-in standard. ActionLab removes analytics from this equation entirely. Practical steps for UK website owners: install ActionLab to replace your cookie-based analytics tool, remove analytics cookies from your cookie policy and consent mechanism, and if analytics was the only reason for your cookie banner, consider whether you can remove it entirely (verify no other tools set cookies). Common mistake: assuming the ICO has not enforced PECR cookie rules. The ICO has issued enforcement notices and warnings to organizations failing to obtain valid cookie consent, and enforcement activity has been increasing. Using ActionLab eliminates analytics as an enforcement risk while maintaining the traffic insights your business needs.

Frequently Asked Questions

Does PECR apply to sessionStorage?

PECR Regulation 6 applies to "storing or accessing information stored on the terminal equipment of a subscriber or user." The ICO interpretation and enforcement has focused primarily on persistent cookies and similar technologies that track users across visits and enable ongoing identification. sessionStorage is non-persistent — it is scoped to a single browser tab and automatically cleared when the tab closes. It does not persist between visits, cannot be accessed across tabs, and does not enable cross-visit tracking. The ICO has not taken enforcement action against sessionStorage-based analytics, and the privacy-by-design characteristics of sessionStorage (tab-scoped, auto-clearing, non-persistent) place it in a fundamentally different category from the persistent tracking technologies that PECR was designed to regulate.

What has the ICO said about analytics cookies?

The ICO has been consistently clear that analytics cookies require consent under PECR. In its guidance, the ICO states that analytics cookies are not "strictly necessary" for providing a service requested by the user, meaning they do not qualify for the consent exception. The ICO cookie guidance specifically names Google Analytics and similar tools as requiring consent. The ICO has taken enforcement action against organizations that failed to obtain valid consent for analytics cookies, including warning letters and enforcement notices. This regulatory position makes cookie-free analytics increasingly attractive for UK organizations that want traffic insights without cookie compliance overhead.

Can I remove my cookie banner after switching to ActionLab?

If analytics cookies were the only reason for your PECR cookie banner, switching to ActionLab eliminates the need for the banner related to analytics. Before removing the banner entirely, audit your website for other cookies: marketing pixels, social media embeds, chat widgets, A/B testing tools, and advertising technologies may all set cookies that still require consent. Use a browser developer tool or cookie scanning service to identify all cookies on your site. If ActionLab was the only tool requiring cookie consent, you can remove the banner. If other tools still use cookies, simplify the banner by removing analytics from the listed purposes.

Does ActionLab comply with the upcoming UK cookie reform?

The UK government has signaled potential reforms to cookie consent requirements, including possible moves toward an opt-out model or browser-level consent mechanisms. Whatever direction reform takes, ActionLab approach of using no cookies and collecting no personal data places it in the safest possible regulatory position. If consent requirements are relaxed, ActionLab was already compliant. If they are tightened, ActionLab zero-cookie approach remains unaffected. The reform discussions specifically target the friction of cookie consent banners — ActionLab eliminates this friction entirely by making consent unnecessary.

How does PECR interact with UK GDPR?

PECR and UK GDPR work together: PECR governs the technology (cookies and device storage), while UK GDPR governs the data (personal information). For analytics, this creates a double requirement: PECR consent for cookie storage, and UK GDPR lawful basis for personal data processing. ActionLab avoids both: no cookies means no PECR consent needed, and no personal data means no UK GDPR processing obligations. This dual avoidance simplifies compliance significantly compared to cookie-based analytics that must satisfy both regulatory frameworks simultaneously.