Few things cause more confusion for small business owners than the legal side of websites. Cookie banners, privacy policies, consent mechanisms, record-keeping – it can feel like a minefield designed by lawyers to trap the unwary.
The truth is simpler than it appears. What you need depends on what your website does. A basic brochure site with a contact form has different requirements from an online shop with customer accounts. Once you understand the distinctions, the path becomes clearer.
Let me break it down.
Website privacy; 4 scenarios explained:
First, some definitions
These terms get thrown around interchangeably, but they mean different things.
Cookies are small text files that websites store on a visitor’s device. They serve various purposes – remembering login sessions, tracking analytics, enabling shopping carts, or following users around the internet for advertising.
A cookie banner is the notice that appears when someone first visits your site, informing them about cookies and asking for consent.
A cookie policy is a document explaining what cookies your site uses, what they do, and how visitors can manage them.
A privacy policy is broader – it covers all personal data you collect, not just through cookies. This includes contact form submissions, email sign-ups, customer accounts, purchase information, and anything else that could identify an individual.
You might need all of these, some of these, or minimal versions depending on your situation.
The legal framework in brief
In the UK, two main pieces of legislation govern this area: the UK GDPR (covering personal data generally) and PECR – the Privacy and Electronic Communications Regulations (covering cookies specifically).
The basic principle is straightforward: if you’re collecting personal data, people need to know about it. If you’re setting non-essential cookies, you need consent before doing so.
“Consent” has a specific legal meaning here. It must be freely given, specific, informed, and unambiguous. A pre-ticked box doesn’t count. “By continuing to browse you accept cookies” doesn’t count. People need to make an active choice.
Scenario 1: A simple brochure website with a contact form
Let’s start with the most basic case. You have a website that explains your business, lists your services, and has a contact form. No user accounts, no online payments, no complex functionality.
What cookies are you likely setting?
If you’ve built a clean, privacy-respecting site, potentially very few. Essential cookies that make the site function don’t require consent – things like session cookies that remember form submissions or security tokens.
If you’re using privacy-focused analytics like Fathom, you’re not setting cookies at all for that purpose.
If you’re using Google Analytics, you’re setting tracking cookies that require consent. If you’re loading Google Fonts from Google’s servers, that’s not a cookie but it is a data transfer that should be disclosed.
What do you need?
Privacy policy: Yes, essential. Your contact form collects personal data (name, email, message content), so you need to explain what you collect, why, how you store it, and how long you keep it.
Cookie policy: If you’re setting any cookies beyond strictly essential ones, yes. This can be part of your privacy policy or a separate document.
Cookie banner: Only if you’re setting non-essential cookies. If your site only uses strictly essential cookies, you don’t need a consent banner – though a simple notice explaining this can build trust.
Consent requirements:
For the contact form, you don’t need a separate consent checkbox if the purpose is obvious – someone filling in a “Contact me” form clearly expects you to use their details to contact them. However, if you plan to add them to a marketing list, that requires explicit separate consent.
For cookies, if you’re only using essential ones, no consent mechanism needed. If you’re using analytics or any third-party cookies, you need consent before those cookies are set.
Scenario 2: A website with email newsletter sign-up
Add an email sign-up form and your requirements shift slightly.
What changes?
Email marketing is considered direct marketing under PECR, which means you need explicit consent to send marketing emails. This isn’t just good practice – it’s a legal requirement for B2C communications and best practice for B2B.
What do you need?
Everything from Scenario 1, plus:
Explicit opt-in for marketing: A clear, unchecked checkbox that says something like “I’d like to receive news and updates by email” – not buried in terms and conditions, not pre-ticked, not assumed.
Record of consent: You need to be able to demonstrate that someone consented, when they consented, and what they consented to.
Easy unsubscribe: Every email must include a way to opt out, and you must honour those requests promptly.
Consent requirements:
This needs to be explicit, specific, and recorded. “Sign up for our newsletter” with an email field and submit button is generally sufficient if it’s clear what they’re signing up for – but keep records of when each person subscribed.
Scenario 3: A website with user accounts
Now we’re getting more complex. User accounts mean you’re storing personal data more permanently and offering ongoing access to it.
What changes?
You’re now holding personal data that users expect to access, modify, and delete. You need to facilitate their rights under GDPR – the right to see their data, correct it, and request deletion.
Account creation also typically involves setting persistent cookies to maintain login sessions.
What do you need?
Comprehensive privacy policy: Must cover account data, how long you retain it, security measures, and how users can exercise their rights.
Cookie policy and consent: Login session cookies are generally considered essential and don’t require consent. But if your logged-in experience includes analytics, personalisation, or third-party integrations, those elements do require consent.
Clear terms of service: Separate from the privacy policy, this covers the contractual relationship between you and your users.
Account management features: Users need to be able to view, edit, and delete their account data.
Consent requirements:
Account creation requires users to actively agree to your terms and privacy policy – typically a checkbox at registration. Don’t pre-tick it, and make the policies easy to read before agreeing.
For any marketing, you need separate explicit consent – not bundled into “I agree to the terms.”
Scenario 4: E-commerce – selling goods or services online
Online shops have the most complex requirements because you’re handling financial transactions and have legal obligations beyond data protection.
What changes?
You’re collecting payment information, delivery addresses, and purchase history. You’re entering into sales contracts. You have consumer rights obligations, VAT considerations, and potentially additional regulations depending on what you sell.
Your site almost certainly uses cookies for shopping baskets, payment processing, and potentially fraud prevention.
What do you need?
Comprehensive privacy policy: Must cover all data collected during purchases, how payment data is handled (usually by a third-party processor like Stripe), order history retention, and how you share data with delivery companies.
Cookie policy and consent: Shopping basket cookies are essential and don’t require consent. Analytics cookies do. Payment processor cookies are typically essential for the transaction.
Terms and conditions of sale: Covering delivery, returns, refunds, consumer rights – separate from your privacy policy.
Secure payment handling: You shouldn’t store card details yourself. Use established payment processors who handle PCI compliance.
Consent requirements:
For the purchase itself, consent is implicit in the transaction – someone buying from you understands you need their details to fulfil the order.
For marketing, you need explicit separate consent at checkout – typically an unchecked box. “Keep me updated on new products and offers” or similar. Never pre-tick this.
For account creation (if you offer it), see Scenario 3 above.
The nuance of explicit consent
Not all consent is created equal, and this is where many websites get it wrong.
When is explicit consent required?
- Before setting non-essential cookies (analytics, marketing, third-party embeds)
- Before sending marketing communications
- When collecting sensitive personal data (health information, for example)
- When you want to use someone’s data for a purpose beyond what they’d reasonably expect
What makes consent valid?
It must be:
Freely given: No penalty for refusing. “Accept cookies or leave” is not valid consent.
Specific: Consent for one thing isn’t consent for everything. Marketing consent is separate from analytics consent.
Informed: People need to understand what they’re agreeing to before they agree.
Unambiguous: An active, affirmative action – clicking “I accept,” checking an unchecked box, choosing preferences. Silence or pre-ticked boxes don’t count.
Withdrawable: If someone can give consent, they must be able to take it back just as easily.
How to obtain valid cookie consent:
Your cookie banner should appear before non-essential cookies are set. It should offer a genuine choice – “Accept all” and “Reject all” as equal options, or a way to choose which categories to allow.
Critically, if someone clicks “Reject” or closes the banner without choosing, you must not set those non-essential cookies. Many websites get this wrong – they show a banner but set the cookies anyway. That’s not consent; it’s theatre.
Keeping records of consent
Under GDPR, you need to be able to demonstrate that you obtained valid consent. This means keeping records.
For email marketing:
Record when each person signed up, what they were told at the time (your sign-up form wording), and evidence of the consent mechanism. Your email marketing platform should handle much of this automatically.
For cookie consent:
This is trickier. Ideally, your consent management platform logs consent choices – when someone accepted or rejected cookies, which categories they allowed. If you’re using a tool like Iubenda or Cookiebot, this is handled for you.
At minimum, keep records of your consent mechanism itself – screenshots of your cookie banner, what options were presented, how it functioned.
For account creation:
Log when users created accounts and which version of your terms and privacy policy they agreed to. If you update these documents, you may need to ask existing users to re-consent.
How long to keep records:
There’s no specified period, but given that enforcement action could come years after the fact, keeping consent records for at least as long as you’re processing that person’s data makes sense – and ideally longer.
Practical steps for each scenario
Scenario 1: Simple brochure site with contact form:
- Write or generate a clear privacy policy covering your contact form data collection
- If using only essential cookies, add a simple privacy notice – no consent mechanism needed
- If using analytics or third-party cookies, implement a proper consent banner that blocks those cookies until accepted
- Keep contact form data only as long as necessary and delete old enquiries periodically
Scenario 2: Site with newsletter sign-up:
All of the above, plus:
- Use a clear, unchecked opt-in checkbox for marketing
- Use an email platform that records consent (Mailchimp, ConvertKit, etc.)
- Include unsubscribe links in every email
- Keep records of when and how each subscriber joined
Scenario 3: Site with user accounts:
All of the above, plus:
- Require explicit agreement to terms and privacy policy at registration
- Provide account management features for users to view and delete their data
- Log when accounts were created and which policy version was agreed to
- Have a process for handling data access and deletion requests
Scenario 4: E-commerce site:
All of the above, plus:
- Use established payment processors – never store card details yourself
- Have clear terms of sale covering consumer rights
- Keep separate, explicit consent for marketing at checkout
- Ensure data sharing with payment processors and delivery companies is covered in your privacy policy
- Have clear data retention policies for order information
When in doubt, ask a question
The legal landscape around privacy isn’t static. GDPR enforcement is evolving, new guidance emerges, and what constitutes best practice shifts over time.
The safest approach is to ask yourself: would I be comfortable explaining to a customer exactly what data I collect and why? Would I be happy if they knew every cookie my site sets?
If the answer is yes, you’re probably in good shape. If the answer is no, or “I’m not sure what my site actually collects,” that’s worth investigating.
How WordPressMatic handles this
Every website I build starts with privacy as a structural decision, not an afterthought.
I don’t use Google Fonts, Google Analytics, or third-party marketing trackers by default. That means fewer cookies, simpler consent requirements, and less data leaving your site.
For analytics, I use Fathom – which doesn’t use cookies at all and is GDPR compliant without needing consent banners.
Privacy policies are tailored to what your site actually does – not generic templates that mention things you don’t use.
Where cookie consent is needed, I implement it properly – blocking non-essential cookies until consent is given, offering genuine choices, and keeping records through tools like Iubenda.
The result is a site you can be confident about. One where you know exactly what data you’re collecting, why, and where it goes. One where compliance isn’t a box-ticking exercise but a reflection of genuine respect for your visitors.
That’s how I think websites should be built.