UK Website Legal Requirements — GDPR, ICO and Cookie Compliance Guide

Since Brexit, UK website legal requirements have diverged slightly from EU rules — but they remain substantial, and non-compliance carries real financial risk. The Information Commissioner's Office issued over £7 million in fines in 2023 alone. This guide explains what your UK business website must have, and why getting it right from the start is far cheaper than fixing it later.

UK GDPR vs EU GDPR — What Changed After Brexit

The UK retained GDPR principles after Brexit through the UK GDPR, which runs alongside the Data Protection Act 2018. In practice, the requirements for most small business websites are nearly identical to EU GDPR:

• You must have a lawful basis for collecting any personal data
• You must tell people what data you collect, why, and how long you keep it
• People must be able to request deletion of their data
• You must report data breaches to the ICO within 72 hours if they are likely to result in risk to individuals

The key practical difference: if you have EU customers, you may need to comply with both UK GDPR and EU GDPR, which could require appointing an EU representative. For businesses serving only UK customers, UK GDPR alone applies.

ICO Registration — Who Needs It and What It Costs

Most UK businesses that process personal data are required to register with the Information Commissioner's Office and pay the annual data protection fee. The cost is:

• Tier 1 (small organisations, turnover under £632,000, fewer than 10 staff): £40/year
• Tier 2 (medium organisations): £60/year
• Tier 3 (large organisations, turnover over £36 million or more than 250 staff): £2,900/year

Exemptions exist for businesses that only process data for personal, family, or household purposes, or for certain not-for-profit activities. A standard small business website that uses contact forms, analytics, or email marketing is almost certainly required to register. The penalty for non-registration is up to £4,350.

Cookie Consent Requirements

The Privacy and Electronic Communications Regulations (PECR) govern cookie use in the UK. The rules are clear: non-essential cookies — including Google Analytics, Facebook Pixel, and advertising cookies — require explicit user consent before being set. This means:

• A cookie banner must appear on first visit before non-essential cookies are loaded
• Users must be able to decline non-essential cookies and still use the site
• Consent must be freely given — pre-ticked boxes do not constitute consent
• Users must be able to withdraw consent as easily as they gave it

Strictly necessary cookies — those required for the site to function, such as shopping basket cookies or login session cookies — do not require consent.

What Your Privacy Policy Must Cover

Under UK GDPR, your privacy policy must include: what personal data you collect, the lawful basis for each type of processing, how long you retain data, whether you share data with third parties, users' rights (access, rectification, erasure, portability), and your ICO registration number. A privacy policy generated by a generic tool and never updated is a compliance risk — it needs to reflect your actual data practices.

What QX137 Builds as Standard

Every QX137 website includes a cookie consent implementation, a privacy policy page structure, appropriate footer legal links, and clean code that does not load tracking scripts before consent is given. This is not an add-on — it is the baseline expectation for any professional website delivered in 2025.