If you run a website for a UK business, a handful of laws decide what you are obliged to show, ask, and protect. The rules changed meaningfully in 2025 and 2026, so a page that was compliant two years ago may not be compliant now. This guide sets out what the law requires, what is strongly advisable, and where the recent changes land.
A short, plain note before we begin: this is general information, not legal advice. The right answer for your business depends on your sector, where your customers are, and how you collect data. If you are in a regulated industry or unsure, take specialist advice.
What Are the Core Legal Requirements for a UK Website?
Most UK business websites need to cover five things: a lawful approach to cookies and tracking, compliance with UK data protection law, clear company identity and contact details, fair and accurate consumer information, and proper handling of intellectual property. Public sector bodies have a sixth duty around accessibility, and every business carries a baseline accessibility obligation under equality law. We will take each in turn.
Do You Need a Cookie Banner, and What Must It Do?
Cookies and similar tracking technologies are governed by the Privacy and Electronic Communications Regulations (PECR), enforced by the Information Commissioner's Office (ICO). The headline rule has not changed: for anything that is not strictly necessary, you must get the visitor's consent before the cookie is set.
What has changed is the detail, and it matters. The Data (Use and Access) Act 2025 amended PECR, with the cookie provisions coming into force on 5 February 2026, and the ICO finalised its updated guidance on storage and access technologies on 29 April 2026. Together they set a clear standard for what a compliant consent mechanism looks like.
What a Compliant Consent Banner Looks Like
The ICO's position is that your banner must do the following:
- Tell people the cookies are there and explain, in plain terms, what each type does and why.
- Obtain consent before non-essential cookies are set, not after the page has loaded.
- Give a genuine choice, with no pre-ticked boxes and no consent assumed from continued browsing.
- Present "Accept all" and "Reject all" with equal prominence, so refusing is as easy as accepting.
Once a visitor has made their choice, you do not have to ask again on every visit, provided their preference still holds.
What Are the New Cookie Exceptions in 2026?
The 2025 Act added new categories of cookie that no longer need prior consent, alongside the existing strictly necessary and communication exceptions. The most relevant for most businesses are:
- Statistical purposes: first-party analytics used only to collect information about how your site is used so you can improve it.
- Appearance: remembering display preferences a visitor has chosen, such as a dark mode setting.
- Emergency assistance: establishing a user's location to provide emergency help.
There is an important condition. For the statistical and appearance exceptions, you must still tell people what you are doing and give them a simple, free way to object. The relief is narrow, too: analytics data generally cannot be shared with third parties, and any tracking that feeds advertising or is shared with ad partners still needs full consent.
The Stakes for Getting It Wrong
The 2025 Act also raised the maximum fine the ICO can issue for a PECR breach, from the previous ceiling of £500,000 to £17.5 million or 4% of total worldwide annual turnover, whichever is higher, bringing it in line with UK GDPR. Beyond enforcement, a banner that nudges people toward "accept" tends to erode trust, and many visitors are wary of being tracked. A clear, even-handed banner is the safer position on both counts.
How Does UK Data Protection Law Affect Your Website?
Separately from cookies, the UK GDPR and the Data Protection Act 2018 govern how you collect, store, and share personal data, including anything gathered through contact forms, sign-ups, or accounts. The ICO enforces these rules, and the higher maximum fine is £17.5 million or 4% of total worldwide annual turnover, whichever is higher.
Collecting Data: Consent and Transparency
Where you rely on consent to collect personal data, that consent must be specific, informed, freely given, and a clear affirmative act by the person. A few practical points follow from this:
- No pre-ticked boxes. You cannot assume consent. The person has to take a positive action.
- Granular opt-in for marketing. Let people choose each channel they agree to be contacted by, such as email, telephone, or SMS, with a clear explanation of what they are agreeing to and why.
- A clear privacy policy. Publish an accessible page that explains how you collect, store, use, and share data, and who people can contact about it. Linking it site-wide from the footer is the usual approach.
Storing Data: Keeping It Secure
UK GDPR requires you to take appropriate measures to protect the personal data you hold, and to report certain breaches to the ICO. On the website itself, that points to a few basics:
- Use HTTPS with a valid TLS certificate. Often still called an SSL certificate, this encrypts the connection so data cannot be intercepted in transit. It is also expected by browsers and search engines, which flag sites served over plain HTTP as "not secure".
- Secure the hosting environment. Strong access controls, current software, and a firewall reduce the risk of a breach at the server level.
- Keep records. Because data protection covers sharing as well as holding, keep a record of who can access your systems and document your security measures.
What Company Information Must You Display?
Two sets of rules sit behind this. The Electronic Commerce (EC Directive) Regulations 2002 still apply to online services in the UK and require certain provider details to be easily, directly, and permanently accessible. For companies and limited liability partnerships, the Company, Limited Liability Partnership and Business (Names and Trading Disclosures) Regulations 2015, made under the Companies Act 2006, set specific disclosure requirements that extend to your website.
If You Are a Limited Company or LLP
Your website should make the following clear:
- Your registered company name.
- The part of the UK in which you are registered, for example England and Wales.
- Your company registration number.
- The address of your registered office.
If you are registered for VAT, it is good practice to show your VAT number. A contact form on its own is not enough under the e-commerce rules: you also need an email address that lets people reach you directly, and a geographic address.
If You Are a Sole Trader or Partnership
If you trade under a name that is not your own name or the names of all the partners, the business names rules can require you to disclose who is behind the business and an address where documents can be served. This is worth reflecting on your website as well as your stationery, so take advice on what applies to your set-up.
Are Your Terms, Pricing, and Marketing Lawful?
If you sell goods, services, or digital content, consumer law shapes what you can say and how you must say it. The biggest recent change is the Digital Markets, Competition and Consumers Act 2024, which from 6 April 2025 revoked the old Consumer Protection from Unfair Trading Regulations 2008 and restated the rules on unfair commercial practices, now enforced directly by the Competition and Markets Authority (CMA) with fines of up to 10% of worldwide turnover for serious breaches.
Get Your Descriptions and Prices Right
- Accurate descriptions. Goods and services must be as described, fit for purpose, and of satisfactory quality, so review your product copy for anything misleading.
- Transparent pricing. Under the 2024 Act, the total price a consumer must pay, including any mandatory fees, has to be shown upfront. Revealing compulsory charges only at the checkout, known as drip pricing, is no longer allowed.
- Honest reviews. Fake reviews, and commissioning or hosting them without reasonable steps to check they are genuine, are also prohibited, so be careful how you gather and display testimonials.
Distance Selling and Order Confirmation
The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 apply to most online sales. Before a purchase, you must give consumers clear information about the product, the total price, delivery, and their cancellation rights. For most goods bought online, consumers have a 14-day cancellation period and do not have to give a reason. If you do not tell them about this right, the period can extend by up to 12 months. Provide written confirmation of the order, and if you run an online store, check that your automatic confirmation emails actually send and contain the right detail. It is sensible to reflect all of this in your terms and conditions.
A Note for Regulated Sectors
Some sites carry extra rules. Finance, gambling, alcohol, and adult content are all subject to sector-specific regulation, and sites aimed at children carry additional obligations. If your site touches a regulated area, take specialist legal advice on what applies.
Does Website Accessibility Apply to Your Business?
This is where the legal duty and good practice diverge, so it is worth being precise.
The Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 require public sector websites and apps to meet the WCAG 2.2 AA standard and to publish an accessibility statement. These regulations do not apply to private businesses.
Every UK business, however, remains subject to the Equality Act 2010, which requires reasonable adjustments so that disabled people are not put at a substantial disadvantage. There is no fixed technical standard attached to this for private sites, but a disabled user who cannot use your site could bring a discrimination claim, so an inaccessible site is a real risk as well as a barrier to customers.
What About Selling into the EU?
If you sell to consumers in the EU, the European Accessibility Act, which applies from 28 June 2025, may reach you regardless of where your business is based. It covers e-commerce and many digital services, and it leans on the same WCAG principles. If you have EU customers, it is worth checking whether the rules apply to you.
In practice, building to WCAG 2.2 AA is the sensible target for any business. It satisfies the public sector standard, supports your Equality Act duty, aligns with the European Accessibility Act, and tends to improve usability and search performance for everyone. If you want help auditing or improving your site, our web design and web development teams can build accessibility in from the start.
Are You Handling Intellectual Property Correctly?
Intellectual property law protects the trademarks, images, and content on your site, both yours and other people's. Two duties follow.
First, only use content you are entitled to use. License any stock images correctly, check the terms of any logos or product images from third parties, and confirm usage rights with manufacturers where there is doubt. Unauthorised use can lead to claims and removal demands.
Second, protect your own work. A clear copyright notice signals ownership, and if you hold registered trademarks you can display the registered symbol to mark their protected status. This supports your brand and your ability to act if someone copies you.
Common Questions
Is a Cookie Banner a Legal Requirement in the UK?
If your site uses any cookies or trackers that are not strictly necessary, then yes, you must get consent before they are set, and that normally means a banner. As of 2026, a narrow set of analytics and appearance cookies no longer needs prior consent, but you still have to tell people and let them object.
What Is the Maximum Fine for Breaking UK Data and Cookie Rules?
For both UK GDPR and PECR, the higher maximum fine is now £17.5 million or 4% of total worldwide annual turnover, whichever is higher. The PECR ceiling was raised to match UK GDPR by the Data (Use and Access) Act 2025.
Do I Legally Need a Privacy Policy and Terms and Conditions?
If you collect any personal data, UK GDPR effectively requires a privacy policy explaining how you use it. Terms and conditions are not always strictly mandatory, but if you sell online you must provide specific pre-contract information and company details, and a terms page is the practical way to do it.
Does My Small Business Website Have to Be Accessible by Law?
The accessibility regulations only bind public sector bodies, but every business has a duty under the Equality Act 2010 to make reasonable adjustments for disabled users. Building to WCAG 2.2 AA is the safest and most useful way to meet that duty, and it becomes a firmer requirement if you sell into the EU.
What Company Details Must Appear on My Website?
A limited company should show its registered name, registration number, place of registration, and registered office address, plus its VAT number if registered. You also need a direct email address and a geographic address, as a contact form alone does not satisfy the e-commerce rules.
Where to Start
The law here is detailed, but the practical version is manageable: a fair cookie banner, a clear privacy policy, accurate company and contact details, honest pricing and descriptions, and a site that most people can actually use. If you would like a review of where your website stands, or help building these foundations in properly, get in touch.
.avif)
