ICO Clarifies Consent Rules and EU Pushes for Universal Age Verification Framework

Want to receive these privacy recaps in your inbox each week? Subscribe here.

The UK Information Commissioner’s Office has updated its guidance on storage and access technologies, offering concrete examples of how businesses can provide users with a simple, free means of objecting to certain types of data collection and clarifying that consent obligations apply per purpose, not per technology. 

At the same time, the European Commission has published a Recommendation calling on EU Member States to deploy a common, privacy-preserving age verification framework that would let users confirm their age anonymously without exposing personal data to platforms or verification providers.

Keep reading to learn more and discover my takeaways.

Europe

ICO Updates Guidance on Storage and Access Technologies.

The UK Information Commissioner’s Office (ICO) updated its guidance on storage and access technologies, providing answers to two additional questions: 1. What does a “simple means of objecting” mean? and 2. Can we use the same storage and access technology for multiple purposes? I outline each below. 

What does a “simple means of objecting” mean? PECR requires prior consent before storing or accessing information on a subscriber’s or user’s terminal equipment. There are five exceptions, three of which were newly added as of June 2025 under the Data (Use and Access) Act (DUAA). Two of those new exceptions (when collecting information for statistical purposes about how a website or service is used with a view to making improvements, and when adapting the way the service appears or functions in line with the user’s preference or device) require providing users with “a simple means of objecting, free of charge, to the storage or access”. 

The ICO now provides official guidance on what that means, or at least one example of how that objection can be extended. Specifically, the ICO says that the objection could be extended through the existing consent mechanism, for example by having “statistical purposes” and “appearance” toggles on by default, with the ability for users to change them to off at any time. 

If someone objects, the guidance says you must stop storing or accessing information on their device. However, if the user changes their mind (e.g., by toggling the purpose back on), you can store or access the information again. The guidance also clarifies that browser settings cannot be relied upon as an indication of whether a person does not object. 

Can we use the same storage and access technology for multiple purposes?  The guidance also clarifies that consent, as well as exceptions to consent, for storage and access are purpose-specific, not technology-specific, meaning that if a given technology (e.g., a given cookie or pixel) has multiple purposes, your consent mechanism must give granular options for each purpose, and if an exception applies to one but not all of the purposes, you must still get consent for the non-exempt purposes (you can’t store or access information for the statistical purposes exception while simultaneously using that information for other purposes like online advertising). 

Recognizing the challenge in navigating this requirement for multi-purpose technologies, the ICO guidance suggests, “It may be easier to meet your PECR obligations if you use a separate storage and access technology for each purpose.”

TAKEAWAY

These updates result from consultations held in December 2024 (regarding the multi-purpose question) and July 2025 (regarding the simple means of objecting question, arising from the DUAA). According to a summary of the responses, respondents asked how a simple objection mechanism should work and whether it could be presented on the second layer of a layered interface. 

This resulted in an example of how it could (but doesn’t necessarily have to) be presented. Even though the multi-purpose guidance is more general, the question of whether consent is always required when a storage and access technology is used for more than one purpose became more prominent since the introduction of the statistical purposes and appearance exceptions. This suggests that adding new exceptions under the DUAA, while allowing for more flexibility, creates a separate set of complexities. The absence of these exceptions across Europe, separate from “strictly necessary” technologies, further complicates implementation for businesses.

European Commission Recommends Common Age Verification Framework.

The European Commission published a Recommendation on establishing a common framework for EU wide age verification technologies, aiming to ensure all EU citizens have access to privacy enhancing digital proof-of-age technologies by the end of 2026. Specifically, the recommendation calls for EU Member States to facilitate the effective deployment of EU age verification solutions and issuance of proof of age attestations based on an EU age verification blueprint provided by the Commission.

It also calls for them to support the swift establishment of a set of rules (the EU Age Verification Scheme) for attesting age verification solutions and proof-of-age, ensuring compliance with Implementing Regulation (EU) 2025/1569 for attestations of attributes within the EU Digital Identity Wallet framework. Under the blueprint, the user would download an age verification app from the app store. Proof of age would be issued based on national eIDs, passports and ID cards, pre-installed apps with age information (such as banking apps), or offline third-party activation (such as a post office). 

Once proof of age is established, the link between the user and the proof provider would be cut. The user could then provide anonymous proof of age when accessing online services. The solution would only confirm if the user is over a certain age. It would not reveal the user’s precise age or any other information about the user to either the trusted age attestation provider or the online platform the user is accessing. 

The processing, which involved accessing information already stored on the user’s terminal, also violated Italy’s implementation of the e-Privacy Directive. This was because the processing was not strictly necessary for providing the service requested by the user, and no valid consent was obtained. Specifically, technical authorization was requested, but it was not freely given because using the service offered by the companies was conditional on granting that authorization. Furthermore, the consent was neither informed nor specific, as data subjects were not informed of the essential elements of the processing and the purposes of processing were not clearly distinguished. Other violations cited included those related to transparency, security measures, and privacy-by-design.

TAKEAWAY

Under GDPR, consent to process a child’s personal data (when providing a service directly to the child) is only valid if the child is at least 16 years old (or a lower age set by the Member State). The Article 29 Working Party Guidelines on consent further clarify that service providers offering services to children (or services not strictly offered to adults) that collect personal data based on consent will be expected to make reasonable efforts (appropriate to the nature and risks of the processing activities) to verify the user’s age. 

If a child gives consent when not old enough to provide valid consent on their own behalf, the processing of their data is unlawful. The Commission’s recommendation does not change these requirements, but it may materially impact how businesses conduct age verification to comply with them. Businesses will likely need to stop collecting personal information for age verification and start accepting these universal privacy-preserving proof-of-age signals. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Maryland Governor Signs Law Prohibiting Targeted Food Pricing
• Cyberspace Administration of China Conducts App Privacy Compliance Sweep
• Spain Supreme Court Decision Applies GDPR to Pre-Processing Activities
  
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.