UK GDPR, ICO and cookies: a practical website guide

UK data protection law is now a mature, well-enforced discipline. The UK General Data Protection Regulation (the retained EU law version) sits alongside the Data Protection Act 2018 and, for electronic marketing and cookies, the Privacy and Electronic Communications Regulations 2003 (PECR). The regulator is the Information Commissioner’s Office (ICO), which has both guidance and real enforcement teeth, with penalties of up to £17.5 million or 4% of global turnover for the most serious breaches.

For most UK small businesses, the cost of getting this right is modest. The cost of getting it wrong — a regulatory notice, a customer complaint upheld by the ICO, or a data breach that requires public notification — is not.

What the law actually requires

Three obligations sit at the heart of UK data protection law for any website that processes personal data of UK residents.

Lawful basis for processing. Every piece of personal data a business collects — a name, an email address, a phone number, an IP address logged by analytics, a cookie identifier — must have a lawful basis under UK GDPR Article 6. For most marketing and analytics work, that basis is either consent (for anything the visitor has actively agreed to) or legitimate interests (for processing that is necessary, balanced against the rights of the individual, and properly documented). The two are not interchangeable; the ICO is clear that consent must be specific, informed and freely given.

Transparency. The privacy notice must tell people, in clear and plain language, who the business is, what data it collects, why, on what basis, who it is shared with, how long it is kept, and what rights the individual has. A privacy notice that is technically present but practically unreadable is not compliant. The ICO has been explicit that dark patterns, pre-ticked boxes and buried disclosures are unacceptable.

Data subject rights. Individuals have the right to access the data a business holds about them, to have it corrected, to have it deleted in defined circumstances, to restrict or object to processing, to data portability, and to complain to the ICO. Subject access requests must be answered within one calendar month, and the response is free of charge in most cases.

Cookies and PECR

PECR sits alongside UK GDPR and applies specifically to electronic communications. For websites, its most important rule is on cookies and similar tracking technologies: consent is required for any cookie that is not strictly necessary to provide the service the visitor has requested.

In practice, that means:

• Strictly necessary cookies — for example, a cookie that remembers items in a shopping basket or a session token that keeps someone logged in — can be set without consent.
• Analytics cookies (Google Analytics, Matomo, Plausible and similar) — require consent, even though they are widely used.
• Marketing and advertising cookies — require prior, specific consent, and the visitor must be able to refuse as easily as they can accept.
• Embedded third-party content — a YouTube video, a Google Maps widget, a Facebook pixel — sets cookies when the page loads. The ICO considers this a cookie use that requires consent unless the embedded content is genuinely necessary.

The ICO’s 2024 update to its cookies guidance made it clear that banner designs that nudge visitors towards acceptance are non-compliant. Consent must be as easy to refuse as to give. There must be no pre-ticked boxes, no implied consent from continued browsing, and no cookie walls that block access to a service unless the visitor accepts everything.

The practical approach is a consent management platform (CMP) that categorises cookies, blocks non-essential scripts until consent is given, and records the visitor’s choice with a timestamp. Reputable CMPs handle this cleanly and keep the logs the ICO expects to see if anything goes wrong.

Data breaches: what to report

A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. For most small businesses, the common cases are a lost laptop, a misdirected email containing customer data, or a website vulnerability that exposes user records.

The ICO’s self-assessment tool asks whether the breach is likely to result in a risk to the rights and freedoms of the individuals affected. If yes, the business must notify the ICO within 72 hours of becoming aware of the breach. If the risk is high, the affected individuals must also be told without undue delay.

The 72-hour clock starts when the business has a reasonable degree of certainty that a breach has occurred, not from the moment the breach technically happened. A process for triage, escalation and decision-making is the practical requirement.

ICO enforcement: what it looks like

The ICO’s enforcement powers range from informal advice and audit, through compliance notices, to monetary penalty notices and prosecution. Recent enforcement has shown a clear pattern: poor consent practices, inadequate security on customer data, and failure to handle subject access requests are the areas where fines and public reprimands are most likely.

A few practical points:

• Reprimands are public and searchable. Being named on the ICO’s enforcement list is a real reputational cost.
• The size of the fine reflects turnover, not profit. For SMEs, even a “small” fine is meaningful.
• Demonstrable process counts for a great deal. A business that can show clear policies, training records, evidence of consent and a functioning breach response is treated very differently from one that cannot.

A practical checklist for 2026

A realistic compliance programme for a small UK business:

1. Document the data you process, why and on what basis — a record of processing activities, kept current, ideally reviewed annually.
2. Audit your cookies and trackers — list every cookie your site sets, classify it as necessary or not, and ensure non-essential ones are blocked until consent is given.
3. Update the privacy notice — written in clear English, accurate, easy to find, dated.
4. Use a consent management platform — one that meets the ICO’s standard, gives genuine choice, and keeps an auditable log.
5. Train the team — particularly on phishing, on misdirected emails, and on what to do if something goes wrong.
6. Have a breach response plan — clear ownership, a triage script, a 72-hour clock, and a list of who to call for forensic or legal help if needed.
7. Keep evidence of compliance — the ICO’s question after an incident is “show me what you had in place”. The answer is in the records, not in the moment.

The framework is mature, the regulator is well-resourced, and the rules have been stable for years. UK data protection law is not a barrier to running a digital business; it is the ground rules that allow UK consumers to trust digital businesses. Getting them right is straightforward, and the cost of getting them wrong is not.