Is your website GDPR compliant?

Published 14 April 2026 · PageLaunch Team · 9 min read

UK GDPR vs EU GDPR after Brexit

Since 2021 the UK has had its own version of GDPR (the "UK GDPR") which sits alongside the Data Protection Act 2018. In practice for a small business website it's nearly identical to the EU GDPR — same principles, same rights for individuals, same fines structure.

You also need to comply with PECR (Privacy and Electronic Communications Regulations), which is the part that governs cookies and direct marketing. PECR is older than GDPR but still very much in force.

Cookie banner requirements (PECR)

If your website uses any non-essential cookies — Google Analytics, Facebook Pixel, embedded YouTube videos, marketing tags, etc. — you need a cookie banner that:

• Asks for clear consent before any non-essential cookies are set
• Allows the user to reject just as easily as accept (single-click reject is now expected)
• Lets the user change their mind later
• Lists what each cookie does

What you DON'T need a banner for

Essential cookies — login sessions, shopping carts, security — don't require consent. They're needed for the site to function.

If your site uses only essential cookies (no analytics, no embeds, no marketing), you don't need a banner. Most small business sites do use analytics though, so most do need one.

Privacy policy essentials

Every website that collects any personal data needs a Privacy Policy. For a typical small business website, "personal data" includes: contact form submissions, IP addresses logged by analytics, anything you collect via newsletter sign-up.

Your policy must include:

• Who you are (legal name, address, ICO registration number if applicable)
• What data you collect and why
• Lawful basis for processing each type of data
• How long you keep it
• Who you share it with (e.g. email provider, hosting company)
• User rights: access, correction, deletion, portability
• How to complain to the ICO

Contact form consent

A simple contact form ("name, email, message") doesn't need a tick-box consent — submitting the form is itself an act of consent for you to reply.

But: if you're going to add the email to a marketing list, you DO need a separate, unticked tick-box for that. "Yes, I'd like to receive your newsletter" — opt-in only, never opt-out.

Analytics and third-party scripts

Google Analytics 4 in default config sets cookies that need consent. If you want to track without a cookie banner, you can:

• Use a privacy-respecting alternative like Plausible, Fathom or Simple Analytics (cookieless, no consent needed)
• Configure GA4 in "consent mode" so it only fires after consent
• Use server-side analytics that don't set client cookies

ICO complaints reality

The Information Commissioner's Office is the UK regulator. In 2024-25 they received around 40,000 complaints, the majority about marketing emails and direct mail rather than website issues.

Small business websites very rarely get fined — the ICO's enforcement focuses on big offenders. But you can be fined up to £8.7m or 2% of turnover for serious GDPR breaches, so getting basics right is wise even at small scale.

The ICO publishes a free Self-Assessment for SMEs that walks through the whole thing. Worth half an hour of your time.

Quick checklist

• Cookie banner with clear accept/reject (if using non-essential cookies)
• Privacy Policy linked from footer of every page
• Contact form does not auto-add to marketing list
• Marketing list signups are opt-in (unticked tick-box)
• You've registered with ICO if required (most service businesses with a contact form do need to — £40-£60/year)
• You know which third parties process your data (hosting, email, analytics)
• You have a clear process if someone asks for their data deleted
• Site is HTTPS (SSL certificate)

How PageLaunch handles it

Every site we build comes with: HTTPS by default, a working cookie banner if you want analytics, a Privacy Policy template you customise, a Contact form that doesn't auto-marketing, and an option for cookieless analytics if you'd rather skip the banner entirely.

We don't do legal advice — your specific Privacy Policy wording is yours to finalise. But we get you 90% there at no extra cost on every plan. See pricing page.

Next steps

GDPR compliance is one of those topics that sounds scary but is mostly common sense. Get the basics right (banner, policy, opt-in marketing) and you're fine for the vast majority of small business situations.

If you're overhauling your website anyway, build compliance in from the start — see cheap web design or our how to choose a web designer guide for what else to look for.