PECR has three tiers. Strictly-necessary cookies need no consent. All-other-cookies need consent. Special-category data needs heightened consent. AI Concierge personalisation on a WooCommerce store does not fit any of them. The data is the service.
The framework was written before AI-native experiences existed. The ICO is now consulting on a risk-based approach to PECR enforcement, and signalled a low-risk advertising carve-out is coming. By 2027 a service-constitutive tier is the most likely next category. Stores building AI experiences now should architect data systems that flex when the rules tier — because the architectural answer is the same answer either way.
Why the Three Current Tiers Cannot Hold AI Personalisation
Translation of the three tiers, in plain English: cookies you need, cookies you want, cookies that handle health and similar sensitive data. The AI Concierge does not fit because it is none of these:
- It is not strictly-necessary. The ICO’s finalized April 29, 2026 guidance is firm that strictly-necessary applies only to storage essential to a service the user explicitly requested. Recommendations adapted to your conversation are not essential to delivering a page. They are essential to delivering the experience the visitor came for — but PECR’s strictly-necessary test is service-essential, not experience-essential.
- It is not standard analytics or advertising. A purchase-history-based product recommender that profiles the user for later marketing is consent-required under PECR. That is uncontroversial. But a real-time conversational personaliser that processes the current conversation and discards it is not the same surface — there is no profile being built, no audience being formed, no campaign being targeted. The current PECR test conflates them.
- It is not handling special-category data by default. The Article 9 sensitive-data tier is for health, race, sexual orientation, biometrics. AI Concierge interactions can drift into special-category territory if they ask questions that elicit such data — but most retail Concierge use does not.
The result: store owners running AI Concierge plugins today are forced to put the experience behind a generic consent banner that was designed for a different problem. Visitors hit the banner before the chat input is reachable, the conversation flow breaks, and the store loses the lead before the personalisation has a chance to deliver value.
What the ICO Has Already Signalled
The signals point in the same direction. Per the Data Protection Network’s analysis, the ICO is reviewing PECR consent requirements to enable a shift towards privacy-preserving advertising models. The ICO’s own August 2025 economic growth plan announced consultation on a risk-based approach to PECR enforcement on advertising, with a statement on low-risk advertising activities expected.
The Data (Use and Access) Act 2025 introduced new statutory exemptions to PECR — but per DAC Beachcroft, those exemptions are deliberately tight: full transparency required, opt-out free of charge, no advertising linkage. The Act left the door open for further exemptions via secondary legislation, and the ICO’s April 29, 2026 finalized guidance reads as the regulator’s interim positioning while the policy debate continues.
You may be interested in: Microsoft Brand Agents Just Hit WooCommerce
What a Service-Constitutive Tier Might Look Like
The shape of a fourth tier is already visible in the existing PECR architecture. The likely contours, working from the regulator’s stated principles:
- Real-time, session-bounded. The exemption applies to data used inside the current visit and discarded at session end. Persistence triggers the existing consent regime.
- No advertising linkage. The DUA Act tightening of advertising-adjacent exemptions makes this a hard line. A service-constitutive tier that bled into ad targeting would not get past the consultation.
- Opt-out free of charge. Visitors who do not want personalised treatment can request a generic experience without losing access to the service. The request is honoured immediately and visibly.
- Transparency in plain language. The visitor knows the AI is using their conversation to adapt responses. Not buried in a privacy policy; surfaced in the experience.
- No special-category leakage. If the conversation drifts into Article 9 territory, the existing heightened-consent regime applies. The service-constitutive tier never overrides it.
This is speculative. The ICO has not committed to a service-constitutive tier in name. What it has committed to is recognising that the existing binary does not scale to AI-native services. The next round of policy work has to do something about that mismatch, and the shape of the something is constrained by the principles already in the public record.
The Architectural Decision Now
The temptation is to wait. Wait for the ICO statement, wait for the secondary legislation, wait for someone else to test the boundary in court. The cost of waiting is that any AI Concierge plugin installed today is built against the current framework — and almost all of them are built to write a persistent identifier from the first interaction.
The architectural decision that holds under both the current rules and any plausible reform is the same: separate session memory from persistent identity at the data layer, before the AI Concierge experience is built on top.
The session-scoped layer:
- Server-side state keyed on a session ID, no persistent identifier written to the visitor’s device
- Lives inside the existing strictly-necessary exemption today
- Either stays where it is or gains additional latitude under any future service-constitutive tier
The persistent layer:
- Cross-session memory, account preferences, behavioural recommendations across visits
- Lives behind a clean consent gate, surfaced as a named opt-in feature
- Continues to operate under consent under any plausible reform
The crucial property: the architecture does not collapse if the regulatory tier changes. The session layer either stays where it is or gets more freedom. The persistent layer is consent-gated either way. There is no rebuild waiting on the other side of any reform that the ICO is plausibly considering.
You may be interested in: Gemini Runs Inside Your BigQuery SQL: Three WooCommerce Recipes
How a Transmute Engine-Backed Store Handles This
Transmute Engine™ is a first-party Node.js server that runs on your subdomain (e.g., data.yourstore.com). It is positioned exactly where the session-scoped and persistent identity layers need to be separated — between the WooCommerce event source and every downstream destination. Session-scoped state stays in the server’s working memory, keyed on a session ID, cleared at session end. Persistent identity is gated through a separate consent-aware path that only activates when the consent record permits it. Whether PECR tiers in 2026, 2027, or 2028, the architecture does not need to be redrawn.
Key Takeaways
- Three current PECR tiers: strictly-necessary (no consent), all-other-cookies (consent), special-category data (heightened consent). None fits AI Concierge personalisation.
- The ICO is consulting on a risk-based PECR approach and a low-risk advertising carve-out. Reform is in motion.
- Likely shape of a service-constitutive tier: session-bounded, no advertising linkage, opt-out free of charge, plain-language transparency, no special-category leakage.
- WordPress powers 43.5% of all websites. Most WooCommerce stores running AI Concierge plugins today are architected against the current framework — usually with persistent identifiers written from the first interaction.
- The architectural answer is regime-stable: separate session memory from persistent identity. The session layer lives inside strictly-necessary today and gains latitude under any plausible reform. The persistent layer is consent-gated under both.
- Build now for the framework that is coming. The reform is in motion, and the architecture that holds is the architecture you should be running today regardless.
Frequently Asked Questions
PECR splits storage technologies into strictly-necessary (no consent), all-other-cookies-need-consent, and special-category data (heightened consent). AI Concierge personalisation does not match any of them. It is more than strictly-necessary because the personalisation is not essential to deliver a basic page. It is not analytics or advertising in the traditional sense because the data is the service itself, processed in real time and discarded. The framework was written before AI-native experiences existed.
Personalisation where the use of personal data is the service the user requested, not a measurement layer or marketing surface. An AI Concierge that adapts answers based on the conversation in progress is service-constitutive — the user came to the site for that personalised interaction. By contrast, an analytics tracker that profiles the user for later marketing is service-additive. The current PECR framework only has a category for service-additive uses.
Separate session memory from persistent identity at the architecture level. Build the AI Concierge against session-scoped state with no persistent identifier — that operates inside the existing strictly-necessary exemption today. Build the cross-session personalisation layer as an explicit, consent-gated opt-in. When PECR adds a service-constitutive tier, the session-scoped layer either stays where it is or gains additional latitude, while the cross-session layer continues to operate under consent. The architecture works under both regimes.
There is no confirmed date. The ICO has been consulting on a risk-based approach to PECR enforcement on advertising, and the Data (Use and Access) Act 2025 introduced new exemptions. The ICO finalized its updated guidance on April 29, 2026 following those consultations. A formal service-constitutive tier would likely require either further DUA Act commencement regulations or a new round of statutory amendment — most analysts working from the publicly available consultation timeline expect movement before the end of 2027.
The pressure for change is structural. AI-native services are growing faster than the framework was designed for, and the ICO’s own statements about enabling a shift towards privacy-preserving advertising models indicate awareness that the current binary — consent or strictly-necessary — does not scale. Whether the change comes as a new tier, a refined guidance interpretation, or a statutory amendment, the direction is clear: a category for service-constitutive personalisation is the gap that needs filling.
Audit the AI Concierge plugin running on your store today: does it write a persistent identifier from the first interaction? If yes, the architecture will not flex when the rules tier. Start at seresa.io.
