Privacy & Cookies: What You Actually Need (UK Guide)

You're not alone if GDPR compliance feels overwhelming—but you only need two things in place, and this guide shows you exactly how to set them up in 45 minutes.

The moment you add Google Analytics, a contact form, or a Facebook Pixel to your website, you're collecting data. And under UK law (GDPR and the Privacy and Electronic Communications Regulations), you must ask permission before tracking users—not just tell them you're doing it.

Most micro-business owners freeze at this point. The terminology is confusing. The ICO guidance runs to hundreds of pages. And the internet is full of contradictory advice about what's "good enough."

Here's the truth: You need exactly two things to be compliant:

• A Privacy Policy that clearly states what data you collect and why
• A Cookie Consent Banner that actually blocks tracking until users click "Accept"

That second point trips up most people. Those "This site uses cookies—Continue" banners you see everywhere? They're not compliant. UK law requires prior consent—meaning scripts like Google Analytics must be blocked until the user actively agrees.

This guide cuts through the legal jargon to deliver one specific action: Installing the minimal necessary compliance elements that satisfy UK law for a small business website. You'll have both elements live and working by the end of this article.

What You'll Have When Done:

A functioning, UK/GDPR-compliant Privacy Policy page and Cookie Consent Banner that actually blocks tracking until consent is given.

Time Needed: 45 minutes

Difficulty: Confident (requires editing website code/header, but we'll walk you through it)

Prerequisites:

• Website Structure Planned
• Forms & Tracking Installed (e.g., Set Up Basic Tracking with GA4)
• Payment systems connected (Connecting Your Website to Payment Providers)

On this page:

• Quick Start: 5-Step Compliance Checklist
• Complete Step-by-Step Guide
• Troubleshooting Common Issues
• What's Next

---

Quick Start: 5-Step Compliance Checklist (30 Minutes)

If you're confident with website basics and just need the action steps, follow this condensed version. For detailed explanations, skip to the Complete Guide.

Before You Start, You'll Need:

• ☐ A list of all tracking tools installed (Google Analytics, Facebook Pixel, etc.)
• ☐ Access to your website's header code (usually via your website builder or theme settings)
• ☐ A chosen Cookie Consent Management Platform (CMP)—we'll recommend options in Step 3

Step 1: List Your Data Collection Points (5 minutes)

Open a document and note every place you collect data:

• Contact forms (names, email addresses, phone numbers)
• Newsletter sign-ups
• Google Analytics or similar tracking
• Facebook Pixel or other advertising pixels
• Payment processing (even though Stripe/PayPal handle the data, you need to mention it)
• Any lead magnets or downloadable resources

Step 2: Choose a Cookie Consent Platform (5 minutes)

You need a tool that:

• Automatically blocks scripts until consent is given (called "prior consent" mode)
• Works with UK/GDPR requirements
• Fits your budget

Recommended options:

• Cookiebot (from £0/month for small sites, excellent auto-detection)
• Complianz (WordPress plugin, free version available)
• CookieYes (free tier for up to 25,000 page views/month)

All three automatically detect and block common scripts like Google Analytics.

Step 3: Generate Your Privacy Policy (10 minutes)

Most CMPs include a policy generator. Use it, then customize:

• Add your business name and contact details
• List every data collection point from Step 1
• Specify how long you keep data (e.g., "Contact form submissions are kept for 2 years")
• Include your legal basis for processing (usually "Legitimate Interest" for analytics, "Consent" for marketing)

Critical UK requirement: Include information about users' rights (access, deletion, portability) and how to contact the ICO if they have concerns.

Step 4: Install the CMP Code (5 minutes)

Your chosen CMP will provide a code snippet. Place it in your website's `` section:

• WordPress: Use a plugin like "Insert Headers and Footers" or add to your theme's header.php
• Squarespace: Settings → Advanced → Code Injection → Header
• Wix: Settings → Custom Code → Add Code to Head

The CMP will now load before any other scripts, allowing it to block them until consent is given.

Step 5: Verify It's Working (5 minutes)

• Open your website in an incognito/private browser window
• Before clicking anything on the cookie banner, open your browser's Developer Tools (F12)
• Check the Network tab—Google Analytics and other tracking scripts should NOT be loading
• Click "Accept" on the banner
• Refresh the page—now the scripts should load

You've Done It When:

• ☑ Your Privacy Policy page is live and linked in your website footer
• ☑ The cookie banner appears on first visit
• ☑ Tracking scripts are blocked until "Accept" is clicked (verified in incognito mode)
• ☑ Users can access cookie settings to change their preferences

Test it: Visit your site in incognito mode. Google Analytics should NOT fire until you click "Accept" on the banner.

✅ Completed the quick version? Move on to Terms & Conditions: What to Include or continue below for the detailed walkthrough explaining why each step matters and how to handle edge cases.

---

Complete Step-by-Step Guide: Achieving UK Compliance

This section explains the reasoning behind each action and handles the complexity that the Quick Start skips.

Step 1: Understand the UK Principle (Prior Consent)

The UK follows GDPR plus the Privacy and Electronic Communications Regulations (PECR). The key principle: You must get consent before placing non-essential cookies or tracking users.

"Non-essential" means anything beyond what's strictly necessary for the website to function. Google Analytics? Non-essential. Facebook Pixel? Non-essential. Even heatmapping tools like Hotjar? Non-essential.

What this means in practice:

Those "This website uses cookies—Continue" banners you see everywhere? They're called "Notice and Continue" or "Implied Consent" banners. They're not compliant under UK law. The ICO has been clear: you need prior consent, meaning the user must take an affirmative action (clicking "Accept") before tracking begins.

This is why you need a Cookie Consent Management Platform (CMP) that actually blocks scripts, not just displays a notice.

Why this matters for micro-businesses: The ICO can fine businesses up to £17.5 million or 4% of annual turnover (whichever is higher) for serious breaches. While they typically target large organizations, they've made examples of smaller businesses too. More importantly, proper consent builds trust with your customers—and that's worth more than avoiding fines.

For the complete picture of what's legally required on your website, see Legal Bits Every UK Small Business Website Needs.

Step 2: Inventory Your Data Collection Points

Before you can write an accurate Privacy Policy, you need to know exactly what data you're collecting. This is often more than you think.

Create a spreadsheet with these columns:

| What's Collected | Where | Why | Legal Basis | Retention Period |

|------------------|-------|-----|-------------|------------------|

| Email address | Contact form | To respond to enquiries | Legitimate Interest | 2 years |

| Name | Contact form | To personalize responses | Legitimate Interest | 2 years |

| IP address, browser info | Google Analytics | To understand site usage | Consent | 14 months |

| Email address | Newsletter signup | To send marketing emails | Consent | Until unsubscribe |

Common collection points to check:

• Contact forms (data collected via contact forms)—usually name, email, phone, message content
• Analytics tools (basic tracking methods)—IP addresses, device info, browsing behavior
• Marketing pixels (Facebook, LinkedIn, Google Ads)—browsing behavior, page views
• Payment processing—even though Stripe/PayPal handle the data, you need to mention it
• Email marketing tools (Mailchimp, ConvertKit)—email addresses, engagement data
• Live chat widgets—conversation history, email addresses
• Lead magnets or downloads—whatever you ask for in exchange

Don't forget third-party tools: If you've embedded a booking calendar, customer portal, or any other third-party service, check what data they collect. You're responsible for declaring it.

[MEDIA:SCREENSHOT:cmp-vendor-comparison]

A quick comparison of popular UK/GDPR compliant CMPs, focusing on cost and key blocking features. Cookiebot offers the most comprehensive auto-detection but costs more; Complianz is excellent for WordPress users; CookieYes provides a generous free tier.

Step 3: Select Your CMP Tool and Generate Policy

Now you need to choose a Cookie Consent Management Platform. The right tool will:

• Automatically detect scripts on your site (Google Analytics, Facebook Pixel, etc.)
• Block them by default until consent is given
• Provide a customizable banner that meets UK requirements
• Generate a Privacy Policy based on what it detects
• Store consent records (proof that users agreed)

Evaluation criteria:

• Prior consent mode: Essential. The tool must block scripts, not just notify users.
• Auto-detection: Saves hours of manual configuration. The tool scans your site and identifies tracking scripts automatically.
• Customization: You need to match your brand and add custom data collection points the tool might not detect.
• Consent storage: Required for compliance. You must be able to prove users consented.
• Price: Free tiers often work for micro-businesses (under 25,000 monthly page views).

Recommended tools:

• Cookiebot (cookiebot.com)
• Best auto-detection
• Prior consent mode by default
• Free for up to 100 pages
• Excellent documentation
• Used by major UK brands
• Complianz (WordPress plugin)
• Free version available
• Good for WordPress sites
• Wizard-based setup
• Integrates with popular plugins
• CookieYes (cookieyes.com)
• Free up to 25,000 page views/month
• Simple setup
• Good documentation
• Works with all platforms

Setup process (using Cookiebot as example):

• Create an account and add your domain
• The tool scans your site and detects scripts
• Review the detected cookies and categorize them:
• Necessary: Required for site function (usually just session cookies)
• Preferences: Remember user choices (language, etc.)
• Statistics: Google Analytics, heatmaps
• Marketing: Facebook Pixel, Google Ads, retargeting
• Enable "Prior Consent" mode (usually the default for UK/EU)
• Customize the banner text and appearance
• Generate your Privacy Policy using the tool's generator

Critical settings to verify:

• Consent mode: Must be "Opt-in" or "Prior Consent," NOT "Opt-out" or "Notice Only"
• Auto-blocking: Enabled for all non-essential categories
• Consent renewal: Set to 12 months (users must re-consent annually)
• Geolocation: If you serve global customers, set different rules for UK/EU vs. other regions

NetNav Integration Point: Implementing a CMP can be tricky, especially verifying that scripts are genuinely blocked. Use NetNav's technical check after installation to confirm that non-essential scripts aren't loading before consent. This audit saves hours of manual browser inspection and gives you confidence that your implementation actually works.

Step 4: Customize and Publish the Privacy Policy

Most CMPs generate a basic policy, but you must customize it to be accurate and complete.

Required sections for UK compliance:

• Who you are
• Business name and trading name (if different)
• Contact details (email, phone, postal address)
• ICO registration number (if you have one—most micro-businesses don't need to register)
• What data you collect
• Use your inventory from Step 2
• Be specific: "We collect your name and email address when you submit our contact form"
• Don't use vague language like "we may collect various information"
• Why you collect it (legal basis)
• Consent: For marketing emails, non-essential cookies
• Legitimate Interest: For contact form responses, essential analytics
• Contract: For processing orders or delivering services
• Legal Obligation: For tax records, etc.
• How long you keep it
• Be specific: "Contact form submissions: 2 years"
• Explain why: "We keep contact form data for 2 years to maintain a record of customer service interactions"
• Who you share it with
• List all third parties: "We use Google Analytics (Google LLC) to understand site usage"
• Include payment processors, email marketing tools, hosting providers
• Mention if data leaves the UK/EU
• User rights
• Right to access their data
• Right to correction
• Right to deletion ("right to be forgotten")
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• How to exercise these rights (usually "email us at...")
• How to complain
• "If you're not satisfied with our response, you can complain to the Information Commissioner's Office (ICO): ico.org.uk"

Customization checklist:

• [ ] Replace all placeholder text with your actual business details
• [ ] Add every data collection point from your inventory
• [ ] Mention every third-party tool by name (not just "analytics providers")
• [ ] Specify retention periods for each data type
• [ ] Include a "last updated" date
• [ ] Add a version number (for tracking changes)

Where to publish it:

Create a dedicated page at `/privacy-policy` or `/privacy`. Then link to it from:

• Website footer (required—must be accessible from every page)
• Next to every data collection point (contact forms, newsletter signups)
• Checkout process (if you sell products)
• Account creation (if users register)

[MEDIA:SCREENSHOT:policy-link-placement]

Required placement: The Privacy Policy and Terms & Conditions must be linked in your website footer and near any data collection points (forms, checkout, etc.). This screenshot shows best practice for discoverability and compliance.

For guidance on footer structure and essential links, see What Should I Put on My Homepage? (which covers overall site structure including footers).

Step 5: Implement the CMP Code and Verify Blocking

Now you need to install the CMP code on your website. This is the most technical step, but it's straightforward if you follow the instructions.

Installation methods by platform:

WordPress:

• Install your CMP's plugin (e.g., "Complianz" or "Cookiebot")
• Follow the setup wizard
• The plugin handles code placement automatically

Squarespace:

• Copy the code snippet from your CMP dashboard
• Go to Settings → Advanced → Code Injection
• Paste the code in the "Header" section
• Save

Wix:

• Copy the code snippet from your CMP dashboard
• Go to Settings → Custom Code
• Click "Add Custom Code"
• Paste the code, set it to load in "Head"
• Apply to "All Pages"

Custom HTML sites:

• Copy the code snippet from your CMP dashboard
• Paste it in the `` section of your HTML, before any other scripts
• Upload the modified file to your server

Critical: Code placement matters. The CMP code must load before Google Analytics, Facebook Pixel, and other tracking scripts. This allows it to intercept and block them until consent is given.

Verification process (the incognito test):

This is how you confirm your implementation actually works:

• Open an incognito/private browser window (this ensures no previous consent is stored)
• Navigate to your website—the cookie banner should appear immediately
• Open Developer Tools (F12 on most browsers)
• Go to the Network tab and refresh the page
• Before clicking anything on the banner, check for tracking scripts:
• Search for "google-analytics" or "analytics.js"—should NOT be present
• Search for "facebook" or "fbevents.js"—should NOT be present
• Any other tracking pixels should NOT be loading
• Click "Accept" on the banner
• Refresh the page and check the Network tab again—now the tracking scripts SHOULD load
• Test the "Reject" option:
• Clear your browser data or open a new incognito window
• Visit your site again
• Click "Reject" or "Reject All"
• Verify that tracking scripts still don't load
• Test the settings/preferences option:
• Users should be able to accept some categories (e.g., Statistics) but reject others (e.g., Marketing)
• Verify that only the accepted categories' scripts load

[MEDIA:SCREENSHOT:cookie-banner-example]

Example of a compliant banner showing clear options for Accept/Reject and Settings, with the background scripts demonstrably blocked until the user makes a choice. Notice the "Necessary," "Statistics," and "Marketing" categories that users can control individually.

Common implementation mistakes:

• Scripts loading before the CMP: Check that the CMP code is the first script in your `` section
• Hard-coded scripts: If you've manually added Google Analytics code to your theme, it might bypass the CMP. Remove it and add it through Google Tag Manager instead, which the CMP can control
• Cached pages: Clear your website cache after installing the CMP, or you might be testing an old version of the page
• Testing while logged in: Some CMPs don't show the banner to logged-in admins. Always test in incognito mode

You've Achieved Compliance When:

• ☑ Your Privacy Policy page is live, accurate, and linked in the footer
• ☑ The cookie banner appears on first visit to your site
• ☑ Tracking scripts are blocked until "Accept" is clicked (verified via the incognito test)
• ☑ Users can access cookie settings to review and change their preferences
• ☑ The banner works correctly on mobile devices
• ☑ Consent choices are remembered across sessions

Final verification: Ask a friend or colleague to visit your site on their phone and desktop. They should see the banner, and their choice should persist when they return later.

🎉 Completed? You've secured the necessary privacy foundations and are ready for Terms & Conditions: What to Include, which covers the other essential legal document for your website.

---

Troubleshooting

Problem 1: The cookie banner appears, but Google Analytics still loads automatically

Symptoms: You see the banner, but when you check the Network tab in Developer Tools, `analytics.js` or `gtag.js` is loading before you click "Accept."

Fix:

• Check your CMP is in "Prior Consent" mode: Go to your CMP dashboard and verify the consent mode is set to "Opt-in" or "Prior Consent," NOT "Opt-out" or "Notice Only"
• Verify auto-blocking is enabled: Most CMPs have a setting to automatically block detected scripts. Make sure it's turned on for the "Statistics" and "Marketing" categories
• Check for hard-coded scripts: If you've manually added Google Analytics code to your website theme or header, the CMP might not be able to block it. Remove the hard-coded script and add Analytics through Google Tag Manager instead, which the CMP can control
• Clear your cache: Your website cache might be serving an old version of the page. Clear your website cache (and your browser cache) and test again in incognito mode
• Check script loading order: The CMP code must load before Google Analytics. In your website's `` section, the CMP script should be the first script listed

Problem 2: The Privacy Policy template doesn't mention specific tools I use

Symptoms: You've used a template policy generator, but it only mentions "analytics providers" generically. You use specific tools like ConvertKit for email marketing or Calendly for bookings, and they're not mentioned.

Fix:

• Manually edit the "Data We Collect" section: Add specific entries for each tool. For example: "We use ConvertKit (Seva, Inc.) to manage our email newsletter. When you subscribe, your email address and name are stored on ConvertKit's servers in the United States."
• Check each tool's privacy documentation: Most reputable tools provide sample privacy policy text you can copy. Look for "Privacy Policy Template" or "GDPR Compliance" in their help documentation
• Be transparent about data location: If a tool stores data outside the UK/EU (like many US-based services), mention it: "Data is transferred to and stored in the United States under Standard Contractual Clauses"
• Update when you add new tools: Set a calendar reminder to review your Privacy Policy quarterly. Every time you add a new tool (like a booking system, live chat, or lead magnet service), update the policy immediately

Related: If you're adding lead magnets or email capture, see Add a Lead Magnet to Your Website for guidance on compliant data collection.

Problem 3: The banner breaks the mobile layout or conflicts with other scripts

Symptoms: The cookie banner overlaps important content on mobile, doesn't display correctly, or causes other website features (like a booking widget or live chat) to stop working.

Fix:

• Check the CMP's mobile settings: Most CMPs have separate mobile layout options. Try switching from a full-screen banner to a bottom bar or top bar on mobile
• Adjust z-index: The banner might be appearing behind other elements. In your CMP's customization settings, look for "z-index" or "layer order" and increase it (try 999999)
• Test for script conflicts: Temporarily disable other scripts (booking widgets, live chat, etc.) one at a time to identify which one conflicts with the CMP. Once identified, check both tools' documentation for known conflicts
• Try a different CMP: If conflicts persist, the CMP might not be compatible with your website platform or other tools. Try one of the other recommended CMPs—they handle script loading differently and might work better
• Check for JavaScript errors: Open Developer Tools (F12), go to the Console tab, and look for red error messages. These often indicate what's conflicting. Search for the error message online or contact your CMP's support with the error details

Still stuck? Most CMP vendors offer support, even on free plans. Contact them with specific details: your website URL, browser/device you're testing on, and screenshots of the issue.

---

What's Next

You've completed the privacy and cookie compliance requirements—one of the most important (and often dreaded) legal steps for your website.

Immediate next step: Terms & Conditions: What to Include

Your Terms & Conditions document covers how people can use your website, what they can and can't do, and your liability limitations. It's the companion to your Privacy Policy and equally important for protecting your business.

Go deeper into related topics:

• GDPR-Compliant Email Marketing — For the full guide to managing email list consent under GDPR, including double opt-ins, data management, and what to do when someone unsubscribes
• What Data Should You Actually Collect About Customers? — Go deeper into data minimization principles and ensuring you only collect what's truly necessary for your business goals (collecting less data = less compliance burden)

---

Other Get Online Guides

Before you launch, make sure you've covered these essentials:

• 25-Point Website Pre-Launch Checklist — The complete checklist covering everything from legal compliance to SEO basics before you go live
• Launch Your Website (Final Steps) — The actual launch process: DNS changes, final checks, and what to do in the first 24 hours
• Accessibility Basics for Your Website — Ensure your website is usable by everyone, including people with disabilities (and avoid potential legal issues)
• Improve Your Website Speed — Faster sites rank better and convert better—here's how to optimize yours
• How to Do a Simple Website Audit Yourself — Regular health checks to catch issues before they become problems

---

You've Completed the Essential Compliance Step

Privacy compliance isn't just about avoiding fines—it's about building trust with your customers. By implementing proper consent mechanisms and being transparent about data collection, you're showing visitors that you respect their privacy and take their data seriously.

You've now completed the essential (and often dreaded) compliance step. NetNav can audit your entire site across 9 pillars of health, including continuous monitoring of technical security and speed, in 60 seconds—see what else needs attention before you launch.

Run Your First NetNav Audit to check all 9 pillars of website health and ensure everything is working correctly before you launch.