Website Legal Requirements for UK Businesses in 2026

A lot of business owners launch a website with their attention firmly on design, speed, and getting found on Google. What tends to get left until later - or missed entirely - are the website legal requirements UK businesses are expected to meet before trading online. Some of these are broadly understood: most people know they need a privacy policy. But the detail of what that policy must actually contain, how cookie consent works under UK law, and what the consequences of getting it wrong look like is frequently misunderstood.

This post covers the main legal requirements for UK business websites in 2026, written in plain English rather than legal jargon. We will work through privacy policies, cookie consent, data collection, accessibility, company information, and what to expect from a web designer who takes compliance seriously.

Why Website Legal Compliance Matters in 2026

The honest reason most businesses have incomplete compliance is that it does not feel urgent until something goes wrong. A cookie consent banner that does not properly block non-essential scripts feels like a minor oversight right up until the ICO (Information Commissioner's Office) takes an interest.

The ICO has the power to issue fines of up to £17.5 million, or 4% of global annual turnover for serious UK GDPR breaches - whichever figure is higher. For violations of PECR, which governs electronic communications and cookie consent, the maximum fine sits at £500,000. These figures are reserved for the most serious cases, but enforcement notices against smaller organisations are not unusual, and the reputational damage from a public ICO action can outlast the financial cost by some distance.

There is also a trust dimension that matters entirely independently of regulation. Visitors who encounter a badly implemented cookie banner, a missing privacy policy, or a website they cannot navigate with a keyboard or screen reader make quick judgements about the business behind it. For businesses selling services or products at any meaningful price point, that trust is part of what customers are paying for.

UK GDPR and Your Privacy Policy

If your website collects any personal data - and almost every website does, through contact forms, newsletter signups, analytics tracking, or booking systems - you are subject to UK GDPR under the Data Protection Act 2018.

The most visible requirement is a privacy policy: a clear, accessible document that explains what personal data you collect, why you collect it, how long you keep it, who you share it with, and what rights visitors have over their own data. This document must be written in plain, intelligible language. A privacy policy copied from a generic template and pasted into a footer page often fails this test - not because the content is technically incorrect, but because it is unreadable to anyone who is not a solicitor.

Your privacy policy should cover at minimum:

• What personal data you collect and how you collect it (forms, cookies, booking systems, payment processors)
• The legal basis for processing that data: consent, legitimate interests, contractual necessity, or legal obligation
• How long you retain different categories of data
• Whether you share data with third parties, and who those parties are
• The rights of your users: to access their data, have it corrected or deleted, object to its use, and request its portability
• How to make a data-related request directly to you
• How to lodge a complaint with the ICO if they are unhappy with how you have handled their data

The policy also needs to be easy to find. A link in the footer, present on every page of the site, is the standard approach and the one the ICO guidance expects.

Cookie Consent: What UK Law Actually Requires

Cookie consent sits at the intersection of UK GDPR and a separate piece of legislation: the Privacy and Electronic Communications Regulations, known as PECR. It is also the area where the gap between what businesses think they are doing and what they are actually doing tends to be widest.

The rule itself is straightforward: you need freely given, informed, and specific consent before placing any cookie that is not strictly necessary for the website to function. Analytics cookies - including Google Analytics and similar tools - are not essential, and therefore require consent before they can fire. The same applies to advertising pixels, social media tracking scripts, and most third-party embeds.

What does not require consent: strictly necessary cookies, such as the session cookie that keeps a shopping basket intact or remembers a user's login state. These can be set without asking. Everything else needs an active choice.

The most common mistakes we see on UK business websites:

• A cookie banner that informs visitors about cookies but does not give them a genuine way to refuse non-essential ones
• Pre-ticked consent boxes (these are not valid under UK law)
• Analytics and tracking scripts loading before the visitor has made any choice at all
• A "decline" option that either disappears on click or routes users back to an acceptance prompt

Valid consent requires a specific, affirmative action for each category of non-essential cookie. Continuing to browse a website does not count as consent. If your current setup loads Google Analytics before the visitor has done anything, you are not compliant with PECR.

Your Data Collection Obligations Beyond the Cookie Banner

Data obligations extend well beyond the cookie layer. Every point on your website where a visitor submits personal information needs to be handled in line with UK GDPR.

Contact forms

Contact forms should include a brief, clear notice explaining how submitted data will be used, with a link to the full privacy policy. You do not always need an explicit consent tick box on a contact form - if the data submitted is directly necessary to respond to an enquiry, legitimate interests or contractual necessity may be the appropriate legal basis. But users should always know what happens to their information once they send it.

Newsletter and marketing sign-ups

For marketing communications, consent is the correct legal basis in the vast majority of cases. That consent must be specific, informed, and recorded separately from any other agreement. Pre-bundled tick boxes that simultaneously accept terms of service and opt into marketing are not valid. Every marketing email you send must also include a simple, functional way to unsubscribe, and acting on an unsubscribe request should happen promptly.

Third-party services and data processors

If you use a CRM, email platform, analytics tool, or any other third-party service that handles data you collect on your website, you are the data controller and they are a data processor. You are responsible for ensuring those processors are GDPR-compliant. Most reputable platforms publish their Data Processing Agreements as standard, but smaller or less established tools may require you to ask for them directly.

Website Accessibility Requirements

Website accessibility is a legal requirement, and it is consistently the area that gets the least attention from small businesses.

Under the Equality Act 2010, organisations providing a service to the public - which includes almost every business website - have a legal duty not to discriminate against disabled users. In practice, this means websites should meet the Web Content Accessibility Guidelines (WCAG) 2.1 at Level AA. This standard covers screen reader compatibility, keyboard navigation, colour contrast ratios, captions on video content, clearly labelled form fields, and descriptive error messages, among other things.

Public sector bodies in the UK have stricter obligations under the Public Sector Bodies Accessibility Regulations (PSBAR), including a published accessibility statement and formal audits. Private businesses do not fall under PSBAR, but that does not make them exempt from accessibility duties - those obligations sit under Equality Act case law instead.

The scale of the problem across the broader web is significant. The 2024 WebAIM Million report, which analyses the home pages of the top one million websites, found that 95.9% had detectable WCAG 2.0 failures. The most common issues were low contrast text, missing image alt text, missing form labels, and empty links. These are not obscure technical edge cases - they are things that affect real users with visual, motor, and cognitive differences, and that a careful web designer should be preventing by default.

If your website was built without accessibility in mind, a free tool such as the WAVE browser extension will identify the most common issues quickly, and gives you a starting point for what to prioritise.

Company Information Under the Companies Act

If you operate as a limited company, the Companies Act 2006 places specific requirements on the business information you must display on your website:

• Your registered company name, exactly as it appears on Companies House
• Your company registration number
• Your registered office address

If you are VAT-registered, HMRC guidance expects your VAT number to be visible on any website that conducts business transactions. This applies most directly to ecommerce sites and businesses where services are invoiced directly through the website, but it is sensible practice to include it regardless of how your transactions are structured.

This information is most commonly placed in the website footer, or on a dedicated legal or contact page. It does not need to be the visual focus of the page, but it needs to be present and straightforward to find.

Sole traders are not subject to the same Companies Act obligations, but should still display a trading name and a contact address clearly on the site - being identifiable is a basic requirement for any business operating online.

If You Sell Online: Consumer Contracts Regulations

For businesses selling products or services directly through their website, the Consumer Contracts Regulations 2013 add a further layer of requirements on top of everything covered above.

Before a customer confirms a purchase, they must be given clear, pre-contractual information covering: the total price including all taxes and fees, the identity of the seller, delivery timescales and any associated costs, the right of withdrawal (typically 14 days for online purchases), and how to exercise that right. This information must be presented clearly before the order is confirmed - not buried in a terms and conditions page the customer is unlikely to read.

For services rather than physical goods, the 14-day cancellation right still applies, but there are specific provisions around what happens if a service begins within that cancellation window. If you are building or refining an online booking system or selling digital services directly through your website, it is worth taking specific legal advice on how to structure this correctly rather than relying on a generic template approach.

What Your Web Designer Should Handle for You

A well-built website can have the majority of this handled correctly at the build stage, rather than as a retrofit once the site is live. A web designer who takes UK compliance seriously should, as part of their standard process: implement a cookie consent solution that genuinely blocks non-essential scripts until a choice is made, build data collection forms with appropriate notices and privacy links, design with WCAG 2.1 AA accessibility requirements in mind from the first wireframe, and structure the footer to include all required legal information.

What a designer typically cannot do is write your privacy policy - that should be reviewed by a legal professional or produced using a reputable compliance platform. But they should ensure whatever document you have is presented correctly, linked from every page, and properly integrated with the data collection points across the site.

When you are evaluating agencies, it is worth asking directly how they handle cookie consent. If the answer is "we add a banner" without any mention of script blocking, granular category controls, or consent logging, that warrants a more detailed conversation. Our web design service includes a fully compliant cookie consent setup as part of every build, and we surface compliance gaps when we audit existing sites. If you want a broader sense of what to ask a potential agency before committing, our 15 questions guide covers the full range.

Final Thoughts

Website legal compliance is not as complicated as it can initially appear, but it does require more than placing a privacy policy in a footer and considering the job done. The four areas where most UK business websites fall short are: a cookie consent banner that does not actually block non-essential cookies before consent is given, a privacy policy that exists but is incomplete or unreadable, missing company registration information, and an inaccessible design that was never checked against WCAG standards.

Getting these right is not only about avoiding regulatory risk - though that risk is real and worth taking seriously. It is about running a professional, credible business that respects the people who visit your site. For most businesses, the practical starting point is the cookie consent setup, since that is where ICO enforcement activity tends to begin. Work through the privacy policy, company information, and then an accessibility audit in that order.

If you are not sure where your current site stands, or you have inherited a website with compliance gaps you want to address, we are happy to take a look.

---

Is Your Website Legally Set Up Correctly?

Building compliance in from the start is significantly easier than retrofitting it after launch. Our web design service covers cookie consent, form data handling, accessibility foundations, and correct legal page structure as standard on every project - not as an add-on.