This isn’t the exciting part of having a website. But it is necessary.
If you’re running a UK business with a website, there are legal requirements around data protection and privacy that you need to meet. Get them wrong and you’re exposed to fines, complaints, and the quiet erosion of customer trust.
The good news: for most small business websites, compliance isn’t complicated. You just need to understand what’s required and make sure the basics are in place.
Why this matters
Every time someone visits your website, data gets exchanged. Their browser sends information to your server. If you’re using analytics, you’re tracking their behaviour. If you have a contact form, you’re collecting their details. If you’re using cookies (and almost every website does), you’re storing information on their device.
All of this is regulated. In the UK, the main frameworks are the UK GDPR (the post-Brexit version of European data protection law) and the Privacy and Electronic Communications Regulations (PECR). The Information Commissioner’s Office (ICO) is the regulator, and they do take action against non-compliant businesses.
What your website actually needs
A privacy policy This is a page explaining what personal data you collect, why you collect it, how you store it, and how long you keep it. It should also tell visitors their rights and how to contact you about their data.
For most small business websites, you’re probably collecting contact form submissions, maybe email addresses for a newsletter, and analytics data. Your privacy policy should reflect this honestly – not just be a generic template copied from somewhere else.
A cookie notice Cookies are small files that websites store on visitors’ devices. Some are essential (making the site function properly), but many are for analytics or marketing purposes.
UK law requires you to tell visitors what cookies you use, get their consent before setting non-essential cookies, and give them a genuine choice. Those annoying cookie banners exist for a reason – and “by continuing to browse you accept cookies” doesn’t actually count as valid consent.
Secure data handling If you’re collecting any personal data through forms, that data needs to be handled securely. This means using HTTPS (the padlock in the browser), storing data appropriately, and only keeping it as long as you need it.
A way for people to contact you about their data Under GDPR, people have rights over their data – to see it, correct it, delete it. You need to provide a way for them to exercise those rights, usually just an email address.
Common mistakes I see
Websites with no privacy policy at all – if you have a contact form, you’re collecting personal data. Copying a privacy policy from another site without adjusting it – if it mentions things you don’t do, it’s both wrong and confusing. Cookie banners that don’t actually block cookies until consent is given – the banner alone isn’t enough. Using Google Analytics without mentioning it in your privacy policy – people should know they’re being tracked. Keeping contact form submissions forever – you should have a retention policy and stick to it.
Don’t panic, but do take it seriously
If this all sounds alarming, take a breath. The ICO isn’t hunting down small businesses with imperfect cookie banners. Their focus is on serious breaches and repeat offenders.
But compliance does matter. It protects your customers, protects your business, and signals that you’re professional and trustworthy. Getting it right from the start is much easier than fixing it later.
How I handle this at WordPressMatic
Every website I build comes with proper legal foundations as standard – privacy policy tailored to what you actually do, compliant cookie consent, secure forms, the lot. It’s not exciting, but it’s essential, and you shouldn’t have to figure it out yourself.
Think of it like building regulations for a physical building. You might not care about the technicalities, but you absolutely want someone who does.