UK Watchdog Counters Myths About Online Tracking Approach

The first misconception is that the rules apply to personal data only. Storage and access rules apply to any "information," ICO said.

Another myth is that the ICO has changed what "strictly necessary" means in connection with storage or access. In fact, the watchdog noted, it has always said it means that storage or access must be essential for providing services a user requests, not just something useful to the service provider. And whether such technologies are strictly necessary must be judged from the user's perspective, it added.

Yet another misunderstanding is that ICO is too focused on online advertising. But, the office said, online advertising is one of the most visible widespread uses of storage and access technologies, and is a space where people can easily lose control of their personal data.

Another myth is that companies can rely on legitimate interests for non-exempt purposes. They can't, the ICO said: where the Privacy and Electronic Communications Regulations (PECR) require consent and a business is processing personal data, it can't rely on legitimate interests under the U.K. General Data Protection Regulation, meaning consent is needed for any non-exempt storage and access technology.

Nor can organizations use legitimate interests to process data obtained on the basis of consent, the ICO said. If they're required to obtain consent for storage and access technology, they can't then "flip" to using legitimate interest for subsequent processing because doing so would remove the control that consent is supposed to give to the user.

The office also debunked the idea that PECR is only about cookies, saying the rules apply to any technology that stores or accesses information on someone's device, including cookies.

Last, the office denied that it wants online services to stop using storage and access technologies for ads. Instead, it said, it wants them to be used in a way that gives people meaningful choice and control.