GDPR & Privacy
Cookie consent, privacy policies, data processing, and GDPR requirements.
The UK GDPR (UK General Data Protection Regulation) and Data Protection Act 2018 govern every website that handles personal data of UK visitors. They cover how you collect personal data through forms, what cookies and tracking scripts load, whether your privacy policy meets the legal requirements, and how you handle data subject rights. The Information Commissioner's Office has issued landmark fines under UK GDPR — including British Airways (£20M, 2020) and Marriott International (£18.4M, 2020) — but most enforcement today lands at SME scale: Easylife was fined £130,000 in 2022 for profiling 145,000 customers without a lawful basis, and HelloFresh £140,000 in 2023 for sending 79 million unsolicited marketing emails after recipients had opted out.
Key facts
- •The ICO fined Easylife £130,000 in 2022 for profiling 145,000 customers without a lawful basis under UK GDPR
- •HelloFresh was fined £140,000 in 2023 for sending 79 million unsolicited marketing emails — a PECR Regulation 22 breach
- •A missing or inadequate privacy policy can attract UK GDPR fines of up to £17.5 million or 4% of global turnover
- •Google Fonts loaded from Google servers was ruled a privacy violation by a Munich court in January 2022 — UK sites face the same legitimate-interest analysis under UK GDPR
- •Cookie banners that use dark patterns (pre-checked boxes, hidden reject buttons) breach the ICO's 2019 cookie guidance under PECR Regulation 6
What we check
- ✓Cookie consent banner presence and configuration
- ✓Third-party tracking scripts loading before consent
- ✓Privacy policy completeness and required elements
- ✓Contact form data handling and legal basis
- ✓Google Fonts and other third-party resource loading
Cookie consent and privacy: good vs. bad examples
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common compliance issue the ICO and European DPAs find on small business sites.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and fail the ICO's 2019 cookie guidance (reject must be as easy as accept).
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Cookie wall with no reject option
A full-screen banner that says "We use cookies to improve your experience" with only an "Accept all" button. No reject button, no settings link. GDPR requires freely given consent, which means refusing must be as easy as accepting.
Tracking scripts loaded before consent
Google Analytics, Facebook Pixel or other tracking scripts fire immediately on page load, before the visitor interacts with the cookie banner. This is the most common compliance issue the ICO and European DPAs find on small business sites.
Privacy policy with generic template text
A privacy policy that still contains placeholder text like "[Company Name]" or refers to data processing activities your business does not actually perform. A privacy policy must accurately describe your specific data processing.
Dark pattern consent design
An "Accept all" button in bright green and a "Manage preferences" link in tiny grey text. Or a cookie settings panel where all categories are pre-toggled to "on". These design patterns manipulate users into consenting and fail the ICO's 2019 cookie guidance (reject must be as easy as accept).
Equal accept and reject buttons
A cookie banner with equally sized and styled "Accept all" and "Reject all" buttons. A third "Manage preferences" option lets users choose specific categories. No tracking fires until the visitor makes a choice.
No scripts until consent is given
Analytics and marketing scripts are only loaded after the visitor clicks "Accept." Essential cookies (session, cart, security) work without consent. The consent management platform blocks all non-essential scripts by default.
Accurate, specific privacy policy
A privacy policy that lists the exact data you collect (names, emails from the contact form), your legal basis for each, which third-party processors you use (e.g. Mailchimp, Stripe), retention periods and how visitors can exercise their rights.
Honest, neutral consent design
Accept and reject buttons with the same size, colour weight and placement. Cookie categories explained in plain language. Settings saved and respected across visits. A persistent link in the footer to change preferences at any time.
Related guides
AI-Built Website Liability Under UK Law
ICO enforces UK GDPR, PECR and Equality Act against the site owner, not Cursor, Lovable or the developer. EU PLD doesn't apply post-Brexit.
Analytics Without Consent UK: What the ICO Allows in 2026
Google Analytics needs consent under UK PECR. Server-log and cookieless tools like Plausible may not. The ICO's position and a decision framework.
Complete GDPR Website Audit: Step-by-Step Checklist
A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services and security in one pass.
Contact Form GDPR Requirements: Article 13 Compliance
What a GDPR-compliant contact form needs: Article 13 information, the right legal basis (legitimate interest vs precontractual), unchecked boxes, retention.
Cookie banner dark patterns: ICO PECR enforcement 2026
The 12 cookie banner dark patterns per EDPB taxonomy. ICO top-100 letter campaign, PECR enforcement and what the scanner detects after clicking reject all.
Cookie Banner Requirements Under EU Law (2026 Guide)
Cookie banner requirements in the EU 2026: reject equal to accept, no dark patterns, prior consent. EDPB Guidelines 05/2020 explained.
Cookie Banner Rules in the UK: What the ICO Requires in 2026
Cookie banner rules in the UK: ICO requirements for accept/reject parity, no pre-ticked boxes, no cookie walls, plus PECR enforcement up to 2025.
Cookie consent in the UK: ICO rules your website must follow
Cookie consent rules for UK websites. PECR Regulation 6 requirements, ICO guidance, what 'strictly necessary' means and how to test your banner.
Data Breach Reporting Under GDPR: 72-Hour Notification
Report a personal data breach under GDPR Article 33: the 72-hour clock, when notification is required, what to file and when to tell affected individuals.
Data Processing Agreement (DPA): Article 28 GDPR Guide
When a third-party service needs a Data Processing Agreement under GDPR Article 28: required clauses, common processors and how to handle DPA refusal.
DMCCA 2024: 10% Turnover Fines for Dark Patterns on UK Sites
DMCCA 2024 gives the CMA power to fine UK sites up to 10% of global turnover for drip pricing, fake reviews and subscription traps. What's prohibited and when.
Do I Need a Cookie Banner on My UK Website?
Do UK websites need a cookie banner? Yes if you run Google Analytics, Facebook Pixel or any tracking. What PECR Regulation 6 and the ICO actually require.
Do I Need a Cookie Banner? EU Decision Guide
Simple decision guide for EU businesses: when does your website actually need a cookie banner? Three questions to find out, with the legal basis explained.
GDPR Compliance Checklist for Your Website (2026)
A practical GDPR checklist for small business websites. Check cookies, privacy policy, consent forms, and tracking scripts.
GDPR compliance for UK businesses: website checklist 2026
GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.
GDPR Data Retention Periods: Article 5(1)(e) Guide
How long can you keep personal data under GDPR? The Article 5(1)(e) storage limitation principle and retention periods by data category for EU businesses.
GDPR for UK Hotel Websites: Booking Data, Loyalty and CCTV
UK GDPR for hotels in 2026. Hotel booking data, passport scans, dietary needs, loyalty programmes, CCTV and what the ICO checks on hospitality sites.
GDPR for UK Restaurant Websites: Data, Bookings, and Consent
UK GDPR and PECR for restaurant websites: bookings, email signups, cookies, payment data. ICO guidance with examples.
GDPR Records of Processing: Article 30 Template
Build the Article 30 GDPR record of processing activities. Who is exempt, what to include, controller vs processor versions and a ready-to-fill template.
Google Analytics and GDPR: Is GA4 Legal in the EU? (2026)
Can you use Google Analytics 4 in the EU? The consent requirement, the EU-US DPF transfer mechanism, Consent Mode v2 limits and cookieless alternatives.
How to Write a UK Privacy Policy: Generator and Guide
How to write a UK GDPR privacy policy. Article 13 disclosures, Companies House details, UK representative rules, the ICO, PECR cookies and DUAA 2025.
ICO investigation process: what UK firms can expect
ICO investigation: information notices, 30-day deadlines, formal investigations, fine decisions and appeal routes.
Is a website trustworthy? 10 signals to check in 2026
Practical checks to verify a website is legitimate in 2026. HTTPS, privacy policy, Companies House registration, contact details and certificate validation.
PECR Cookie Rules UK: What the ICO Actually Enforces
PECR cookie rules UK: what Regulation 6 requires, how it differs from UK GDPR and what the ICO actually enforces on non-essential cookies.
UK GDPR Article 32: Website Security the ICO Expects
UK GDPR Article 32 explained. What ICO security expectations look like, NCSC technical guidance, encryption, access controls and the patch-timing rules.
UK GDPR fines under the ICO: what penalties look like
ICO fine bands under UK GDPR: up to £17.5M or 4% of global turnover. Marriott, BA and TikTok cases explained. What SMBs realistically face.
UK GDPR for Charities: Fundraising, Volunteers, Donor Data
UK GDPR for charities in 2026. Fundraising consent, donor data, Gift Aid records, volunteer information and what the Fundraising Regulator now expects.
UK GDPR vs EU GDPR after Brexit for UK businesses
UK GDPR vs EU GDPR for British SMEs in 2026. The Data (Use and Access) Act 2025, PECR cookies, ICO enforcement and when you still need an EU representative.
UK GDPR vs EU GDPR: Brexit and DUAA 2025 changes
UK GDPR vs EU GDPR differences in 2026: when each applies, what the DUAA 2025 changed, adequacy status and dual compliance for UK firms selling to the EU.
UK website privacy notice requirements after DUAA (2026)
The 14 mandatory elements of a UK GDPR privacy notice. DUAA 2025 changes, new complaint mechanism, recognised legitimate interests and ICO checklist for SMEs.
Website Hacked? UK Incident Response in the First 72 Hours
Website hacked? UK incident response in the first 72 hours. ICO Article 33 notification, Article 34 user alerts, Action Fraud reporting and NCSC steps.
What the ICO Actually Checks on Your Website in 2026
Concrete list of what the ICO checks when a complaint about your UK website lands on its desk. Cookie banner, privacy notice, SAR, breach notification.
YouTube Embed and GDPR: Cookie-Free Approaches
Standard YouTube embeds place tracking cookies before consent. Two compliant patterns under GDPR: youtube-nocookie.com and click-to-load facade, with code.
Cookie-Script Alone Isn't Enough: What a Full Scan Reveals
Cookie-Script handles PECR consent well, but a full website audit catches everything it misses: data leaks, image copyright, accessibility and SSL issues.
Double Opt-in in the UK: Required, Recommended or Optional?
Is double opt-in required in the UK? What PECR Reg 22 and the ICO say, how UK practice differs from German Bestätigungsverfahren and when to use it.
GDPR Fines for Small Businesses: Real Cases and Amounts
Real GDPR fines for small businesses run from about 1,000 to 50,000 EUR. See published regulator decisions, what triggers enforcement and how to avoid it.
GDPR for accountants in the UK: ICAEW, ACCA & AML
GDPR for UK accountants. ICAEW/ACCA/AAT standards, MLR 2017 anti-money laundering, client confidentiality, ICO breach notification, and website rules.
GDPR for dental practices in the UK
UK GDPR for dental practices in 2026. Patient data as special category, GDC registration, NHS record retention, online booking and breach notification.
GDPR for estate agents in the UK: Propertymark & AML
GDPR for UK estate agents. Propertymark, MLR 2017 anti-money laundering, viewings, photography, tenancy data, ICO breach notification, and website rules.
GDPR for hair & beauty salons in the UK: NHBF guide
GDPR for UK hair and beauty salons. Treatwell, Phorest, Fresha booking platforms, patch-test records, ICO breach rules, and website compliance.
GDPR for physiotherapists in the UK: CSP & HCPC
GDPR for UK physiotherapy practices. CSP, HCPC, ICO data fee, patient-record retention, online booking, and ICO breach notification under UK GDPR.
GDPR for UK solicitors: SRA, Law Society, ICO rules
UK GDPR for solicitors. SRA Standards, Law Society guidance, LPP overlap, MLR 2017 retention and website compliance.
GDPR for veterinary practices in the UK: RCVS & ICO
GDPR for UK veterinary practices. RCVS Code, pet-owner data, clinical-record retention, online booking, payment, and breach notification under UK GDPR.
Newsletter Signup Forms: UK GDPR and PECR Requirements
What a UK newsletter signup form must do under PECR Reg 22 and UK GDPR Art 7. Consent wording, opt-in vs opt-out, source records and ICO evidence rules.
Pre-Ticked Checkboxes: Why They Fail UK Consent Rules
Why pre-ticked checkboxes fail UK consent rules. PECR Reg 6, UK GDPR Art 7, the Planet49 ruling and what the ICO checks on cookie banners and signup forms.
Third-party tracking on UK websites: find and consent
Find trackers (Google Analytics, Facebook Pixel, YouTube, Maps). UK PECR Reg 6 and UK GDPR Article 6 consent rules.
Data (Use and Access) Act 2025: UK website changes
Data (Use and Access) Act 2025 reforms UK GDPR and the DPA 2018 from Royal Assent on 19 June 2025. What changes for UK websites and what stays the same.
DPA 2018 vs UK GDPR: Which Law Applies to Your Website?
The DPA 2018 and UK GDPR work together but cover different ground. Which applies to your website, when DPA exemptions bite and how they interact in 2026.
Legitimate interests for marketing: UK GDPR LIA test
Legitimate interests under UK GDPR Article 6(1)(f). How UK businesses pass the three-part LIA test for marketing and when PECR consent rules still apply.
Product Liability Directive 2024/2853: 9 Dec 2026
Directive (EU) 2024/2853 makes software and AI 'products' for strict liability on 9 Dec 2026. What it means for SMBs, and what it does not change.
The EU AI Act for Website Owners (2026)
Article 50 applies 2 Aug 2026. For most SMB sites it creates almost no new obligations. Here's the honest checklist before the deadline.
Related from other areas
Does the European Accessibility Act Apply to Your Business?
The EAA became enforceable in June 2025. Find out if it applies to your business, what it requires and what happens if you don't comply.
Website Security Checklist: 10 Things to Check Today
A practical security checklist for small business websites. 10 things you can check and fix today without technical expertise.
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Start free check