UK GDPR and cookie consent banners: what a small business actually needs in 2026

Most UK small business websites either do too much on privacy compliance, cluttering the page with consent banners and thirty-category cookie preference centres their visitors will never read, or too little, running Google Analytics and Facebook pixels without asking consent at all. The honest minimum for 2026 is a plain-English privacy policy, a simple cookie banner that blocks non-essential scripts until the user consents, Google's Consent Mode wired up correctly, and a visible contact route for data subject requests. That is it. This article explains what each piece does, where most small businesses fall short, and the things you can ignore unless you are in a regulated sector.

What the UK actually requires

The short answer is two overlapping regimes. The UK GDPR (the retained post-Brexit version of the EU regulation) governs personal data. The Privacy and Electronic Communications Regulations (PECR) govern cookies, marketing emails, and similar tracking technologies. Together they require you to do a small number of practical things.

Tell visitors what personal data you collect and why, in a privacy policy. Get consent before placing non-essential cookies. Give people a way to access, correct, or delete their data. Keep a basic record of what data you hold. Respond promptly to complaints through the ICO if one arrives.

What you do not need, despite what some consent-banner vendors imply, is a thirty-page privacy policy, a data protection officer (unless you are doing large-scale processing of special category data), ISO 27001 certification, or a four-tier cookie preference centre with forty categories. Most of that is compliance theatre.

The privacy policy, in plain English

Your privacy policy is a plain-language statement telling visitors what personal data you collect, how you use it, how long you keep it, and how they can get in touch. For a typical small business website the list is short.

Data collected via the contact form (name, email, phone, message content, timestamp). Data collected via analytics (anonymous traffic data about which pages are visited, from where, in aggregate). Data collected via newsletter sign-up if you have one (email address, sign-up timestamp, whether they have clicked links in emails). Data collected via bookings or payments if relevant (the minimum needed to process the transaction, handled by your payment provider under their own terms).

For each of those, the policy should say what it is used for (replying to enquiries, improving the site, sending the newsletter), how long you keep it (contact form enquiries: two years, newsletter: until the person unsubscribes, analytics: a set number of months), and on what legal basis you are holding it (legitimate interest for analytics if configured properly, consent for newsletters, contract for bookings).

Keep it under a thousand words in total. Write it in the first person. Link it from the footer of every page. That is the entire job.

Cookie consent, done properly

Under PECR, you may set essential cookies (the ones that make the site work: session, CSRF, load balancer) without asking permission. You must ask permission before setting any non-essential cookie, which includes analytics, advertising, social media widgets, and most A/B testing tools.

The compliant pattern is this. The cookie banner appears on first visit. The user has a clear option to accept, reject, or see preferences, and rejection is as easy as acceptance (this is important; a banner with a big green Accept and a small text link to Reject is non-compliant under the ICO's updated guidance). Until the user makes a choice, non-essential cookies are blocked. If they click Reject, they stay blocked. If they click Accept, they run. The choice is remembered for a reasonable period, typically six to twelve months.

The common failure we see on small business sites is running Google Analytics in an "opt-out" mode rather than "opt-in", which lets the tracking run by default and asks for consent afterwards. This is non-compliant and has been enforced against in the EU. Use a consent manager (Cookiebot, CookieYes, Iubenda, Termly, Consent Mode v2-compatible) that blocks the tags until consent is given.

For most UK small businesses we recommend the free tier of CookieYes or the equivalent, which handles the banner, the blocking, and the record of consent.

Google Consent Mode, briefly

Since 2024, Google has required that sites using its tags (Analytics, Ads, Tag Manager) integrate Consent Mode v2. The short version is that Consent Mode lets Google's tags adjust their behaviour based on whether the user has consented or not, instead of simply loading or not loading.

When the user has not consented, the tags send only a pingless "signal" rather than the full telemetry. This gives Google enough data to model conversions at the aggregate level while respecting the individual's choice. When the user has consented, the tags run fully.

Any modern consent manager sets this up automatically once you connect it to your Google Tag Manager container. If you have GA4 and a cookie banner, you almost certainly need Consent Mode v2 configured, or your analytics data is being quietly thrown away by Google. Worth checking.

Our own site runs Plausible as a cookie-free analytics layer that does not require consent (it stores nothing in the browser) and GA4 as a separate consent-gated layer. Most small businesses do not need both. Plausible alone is often the cleaner answer.

Data subject requests, in practice

UK GDPR gives individuals the right to ask what data you hold about them, correct it, or delete it. You must respond within one calendar month. For a small business the practical setup is a single email address (steffen@voll.co.uk, privacy@example.co.uk, whatever) that you can point to in the privacy policy and in the footer.

In practice most small businesses get fewer than a handful of these requests in a year. When one arrives, follow a simple process. Acknowledge within 48 hours. Confirm identity (politely ask for enough information to be sure the requester is who they say they are). Pull the data from wherever it lives (CRM, email, accounting system). Send a clear response within the month. Keep a brief record of the request and your response.

You do not need elaborate software for this unless you are processing at real scale.

The things you can safely skip

For a typical UK small business (under 250 employees, not processing special category data such as health, not doing large-scale tracking, not a data broker), most of the following do not apply to you.

Data Protection Officer. Required only for large-scale or sensitive processing. A micro-business does not need one.

Data Protection Impact Assessments. Required for high-risk processing. Ordinary website analytics, CRM records, and newsletter data are not high risk.

Formal ISO 27001. Valuable for enterprise clients who demand it; overkill for most small service businesses.

EU Representative. Required only if you are outside the UK/EU but sell to EU residents. A UK business trading with EU customers is fine without one.

A detailed cookie preference centre with twenty categories. Not required. A simple Accept/Reject with a "preferences" option is fine for almost all small business sites.

The five-minute audit of your own site

Check these. Is the footer of your site showing a working link to the privacy policy? Is the first paragraph of the policy dated and current? When a first-time visitor lands on your site, does a cookie banner appear, and does Reject work as easily as Accept? When you reject, does opening the developer tools show that Google Analytics has not loaded? Is there a named contact route for data requests? Is your company's legal name and registered office correct in the footer (as covered in our article on what a registered office address is)?

If all six are green, you are broadly in good shape. If any are red, fix the red one this week, before you think about the rest of your compliance strategy.

None of this is the part of running a small business that is fun. It is the boring foundation that means you do not waste a morning in two years answering an ICO letter. Set it up once, review it once a year, and move on.

If you would like a second pair of eyes on your current privacy setup or help wiring up Consent Mode properly, book a fifteen minute chat and we will go through it with you.