Data law | UK Regulatory Outlook May 2026

UK updates 

ICO publishes its final guidance on the use of storage and access technologies 

The Information Commissioner's Office (ICO) has published its final guidance on the use of storage and access technologies (previously its "detailed cookies guidance"). It explains how the Privacy and Electronic Communications Regulations (PECR) and data protection laws apply when organisations use technologies that store information on, or access information stored on, a person's device.  

The Data (Use and Access) Act 2025 added three new exceptions to the prohibition on storing or accessing information on people's devices without consent. They came into force in February 2026, and the ICO has addressed them in its guidance:  

• Statistical purposes exception applies when the sole purpose of the storage or access is to enable an organisation to collect statistical information about how its service or website is used, with a view to making improvements (for example, total website visits or device types). 
• Appearance exception applies when the purpose of the storage or access is to adapt the way a service appears or functions in line with the subscriber's or user's preference (for example, identifying monitor dimensions to reconfigure a webpage to adapt to a screen or detecting operating system preferences such as a colour theme). 
• Emergency assistance exception applies when the sole purpose of the storage or access is to identify the geographical position of the subscriber's or user's device to provide emergency assistance.  

Both the statistical and appearance exceptions require organisations to provide users with a "simple and free" means to opt out.  

The guidance explains that these exceptions can only be relied on where storage and access technologies are only used for purposes covered by the exceptions, not for any other purpose at the same time. According to the ICO, if one purpose meets the requirements of an exception but another does not, a user's consent is required for the storage or access. These technologies are routinely used for multiple purposes, so this guidance from the ICO represents a significant obstacle in practice. 

ICO publishes advice to government on creating online advertising exceptions under PECR 

The new exceptions outlined above do not extend to advertising. However, as part of its online tracking strategy launched in 2025, the ICO has been exploring whether certain low-risk online advertising activities could be delivered without requiring consent under PECR. In May 2026, the ICO published its advice to the government on this issue. It is intended to help inform government policy-making as it considers whether to introduce an exception for certain online advertising purposes through secondary legislation under regulation 6A of PECR. 

In the ICO's view, amending regulation 6 could bring practical benefits: websites and apps would no longer be required to obtain consent in circumstances where only low-risk advertising is involved, thereby reducing consent fatigue, while preserving the requirement for consent in cases where advertising relies on more intrusive forms of tracking or profiling. 

ICO publishes final guidance on 'soft opt-in' for charities 

The ICO has published its final guidance on the "charitable purposes soft opt-in" provision introduced by the DUA Act, which came into effect on 5 February 2026. The new exception allows charities to send electronic mail for marketing purposes without obtaining prior consent where: 

• the only purpose of the marketing is to support one or more of the charity's charitable purposes; 
• the charity collected the person's contact details when that person was showing interest in one or more charity's charitable purposes at that time, or offering or providing support for one or more of those purposes; and 
• the person has been given an easy way to "opt out" (free of charge except for the costs of sending the refusal), both when the details were first collected and, if the person did not initially refuse, with each future marketing message. 

See more in this Regulatory Outlook.  

To reflect these changes, the ICO has updated its guidance on direct marketing using electronic mail, which now sets out how charities can use the provision and what safeguards must be in place. 

ICO updates children's guidance 

The ICO has updated its "Children and the UK GDPR" guidance to reflect changes introduced by the DUA Act. 

The ICO states that its updated guidance includes new practical case studies and examples, addresses the new recognised legitimate interests basis and its application to children’s data, and provides further detail on profiling and automated decision-making. The ICO has also clarified information society services obligations and their relationship to the standards of the Children's Code. In addition, the guidance now draws clearer links with wider regulatory frameworks, including the Online Safety Act 2023 and Ofcom codes and age assurance expectations. 

Court of Appeal rules in RTM v Bonne Terre Ltd that consent is purely objective  

In RTM v Bonne Terre Ltd (2026), the Court of Appeal delivered a ruling on the test for establishing consent under the UK GDPR and PECR.  

The claimant, RTM, described himself as a reformed problem gambler. Before overcoming his addiction, he had used Sky Betting and Gaming (SBG)'s online platform. When activating his account, he had clicked "accept and close" on a cookie banner. SBG had then placed cookies on his devices and browsers, processed his personal data and sent him targeted direct marketing material. RTM argued that these activities had fed his compulsive gambling and caused him to suffer significant financial loss. He issued proceedings against SBG, claiming that his consent to the processing of his personal data was never legally valid. 

The High Court agreed but SBG appealed. See this Regulatory Outlook for the summary of the High Court's ruling. 

The Court of Appeal allowed the appeal and remitted the case to the High Court. It held that:  

• Consent is constituted by an act, not a state of mind, and that the criteria for valid consent are all objective in nature. The first lawful basis for processing is that the data subject has "given" their consent. Therefore, the data subject must have taken some clear affirmative action. Further, as the legislation states, consent means an "indication" of the data subject's wishes that "signifies agreement" to that processing.  
• The requirements in the GDPR that consent be "freely given, specific, informed and unambiguous" are likewise all objective in nature and whether they are satisfied is assessed by reference to the data subject's "indication" of consent and its context, including communications between the data subject and the data controller and the structural character of the relationship between them.  
• A data controller is not required to demonstrate what was in the data subject's mind, nor to consider whether the data subject was vulnerable such that they were unable to make a fully autonomous decision. 

The Court of Appeal also rejected arguments that a data controller's actual or constructive knowledge of a user's personal circumstances or state of mind is relevant to whether consent is established. It further observed that the effect of the High Court's approach would mean that a data controller, such as SBG, could never guarantee compliance, as there would always be the possibility of an unknown vulnerability impairing a user's ability to consent – consequences that could extend well beyond gambling to other sectors. The Court of Appeal further noted that the High Court's introduction of a subjective test for the issue of consent was legally novel and its precise nature elusive. 

With the Court of Appeal confirming that the test for consent is a purely objective one, the ruling provides legal certainty for businesses that rely on consent-based processing of personal data.  

ICO sets out five steps to combat AI-powered cyber threats 

See AI section.  

EU updates 

EU legislators reach provisional agreement on Digital Omnibus on AI 

See AI section.