Do I Need a Cookie Banner on My Website? (UK Rules Explained)
A lot of small business websites use cookie banners, but lots of them don’t meet ICO’s requirements (this catches more people out than you’d expect, especially with DIY builders). Here’s what the law requires in 2026, what changed in February, and how to check if your site is compliant. Duport has helped over 2,000 UK founders set up compliant business websites. Cookie compliance is one of the steps people often assume is “handled” by their website builder, when in reality, it usually isn’t.
Do I legally need a cookie banner on my website in the UK?
Yes, if your site uses anything beyond strictly necessary cookies, you need to get consent before they’re set. In practice, that includes most websites, even simple ones.
The Privacy and Electronic Communications Regulations (PECR) cover cookies and sit alongside the UK GDPR. Strictly necessary cookies (the ones that keep your site running, like session or shopping cart cookies) are exempt. Everything else: analytics tools, Facebook Pixel, embedded YouTube videos, even some contact form plugins, requires explicit consent before being placed on a visitor’s device.
In most cases, even a basic brochure-style site ends up using more than strictly necessary cookies. For example, a typical Wix or Squarespace site might include Google Analytics, an embedded YouTube video, and a Facebook Pixel. All of which set third-party cookies behind the scenes. If those are firing before a visitor has clicked “accept,” you’re not compliant.
What changed with the Data (Use and Access) Act 2025?
The Data (Use and Access) Act 2025 (in force from 5 February 2026) created an exemption for analytics cookies used solely to measure your own site’s performance.
Under the new rules, analytics cookies might not need consent, but only if you meet strict conditions. To qualify, you need to keep the data strictly for your own traffic insights: no sharing, no advertising use, and proper anonymisation. If you’re using Google Analytics with ad features switched off and anonymisation enabled, you may qualify. But this is where a lot of setups fall short in practice.
The ICO expects to release updated guidance for small businesses in Spring 2026. For now, keep analytics cookies within your existing consent setup until the ICO fully confirms those details. The change matters most for businesses whose only non-essential cookies are analytics. If you also run Facebook Pixel or retargeting tools, consent is still required for those.
Does a Wix or Squarespace cookie banner meet UK legal requirements?
Not by default, and this is where a lot of people get caught out. Most DIY builders don’t fully meet ICO requirements straight out of the box, even though they give the impression that everything’s “taken care of.”
The ICO’s core requirement is that non-essential cookies must not fire before a visitor has actively consented. Historically, Wix’s default cookie tool has violated regulations by setting cookies before a user even interacts with the page. Squarespace’s banner blocks some cookies but not all, and the category descriptions don’t always match what the ICO expects.
Both platforms also require you to offer visitors an equally easy way to withdraw consent as they had to give it. A banner with a big green “Accept All” button and a small grey “Manage” link buried in the footer doesn’t meet that standard. If you switched your cookie banner on once and haven’t looked at it since, it’s worth checking what it’s doing in the background.
One thing that often gets missed is that compliance doesn’t stop at the cookie banner. Your website also needs a privacy policy, terms and conditions, and your company’s registered information in the footer. For limited companies, that means your registered name and company number. Most builders won’t flag if something’s missing, you can publish a site without a privacy policy or proper footer details and never get prompted.
If you already have a site, it’s worth checking what’s actually happening behind the scenes. A quick compliance check, on the link below, can highlight any gaps
What do I actually need on my website to be compliant?
At a basic level, your site should include a compliant cookie banner, a clear privacy policy, and an easy way for users to change/withdraw their consent, and accurate business information in your footer.
The cookie banner is there to manage consent for tracking. The privacy policy explains what data you collect, why, and how long you keep it. The footer information is a legal requirement for limited companies under the Companies Act 2006.
Contact forms are another area people often overlook. Even a simple name-and-email form brings in obligations around lawful basis, data retention, and disclosure
What happens if I don’t have a cookie banner in the UK?
The ICO can issue fines for PECR breaches, but in practice, enforcement currently focuses on larger organisations, rather than small businesses that are clearly trying to do the right thing.
That doesn’t mean small businesses are exempt. PECR fines can reach £500,000 for serious breaches. The ICO has also signalled it will increase scrutiny of cookie compliance across all sizes of website. In some cases, a single complaint from a visitor can be enough to trigger an investigation.
There’s also a practical side to it and how your site comes across to visitors. A broken banner, missing privacy policy, and absent footer information can make a business look less trustworthy, even if everything else is solid. If your DIY website is causing headaches beyond compliance, why DIY website builders don’t work for small businesses covers the pattern we see most often.
Is there a simpler way to get a compliant website without doing this yourself?
Yes, a done-for-you website build includes compliance as standard, so you don’t have to audit, configure, and second-guess every setting yourself.
Duport’s website build comes with a cookie banner, privacy policy, terms and conditions, and correct footer information already in place. You also get your domain and professional email address. Most sites are up and running within 72 hours, with minimal input, usually around 30 mins, needed from you.
Not sure whether your current site has the right elements in place? It’s worth reading the signs your DIY website might be costing you customers; compliance gaps are one of the most common issues we come across when reviewing DIY websites.
Duport’s website build starts from £360. Mention this article when you get in touch and we’ll honour the £144 rate.
Get started at duport.co.uk/related-services/website-design
FAQs
-
Does a sole trader need a cookie banner in the UK?
Yes — cookie consent rules under PECR apply equally to sole traders and limited companies; they’re based on your website’s activity, not your business structure.
-
Do I need a cookie banner if I only use Google Analytics?
Under the Data (Use and Access) Act 2025, in force from 5 February 2026, analytics cookies may be exempt from consent. The conditions: Google Analytics must be configured with anonymisation enabled and ad features switched off. ICO plain-English guidance for small businesses is still pending, so keeping the banner is the safer choice for now.
-
Can I use a free cookie banner on my website?
Free tools like CookieYes and Osano have free tiers, but features such as automatic cookie scanning and granular consent categories are typically on paid plans. A free banner is better than nothing, but check whether it blocks cookies before consent is given, because that’s the part regulators focus on most.
-
What must a cookie banner include to be ICO compliant?
It must explain the categories of cookies you use and give visitors a genuine choice to accept or decline each one. It must also block non-essential cookies until consent is given. Withdrawing consent must be as easy as giving it.
-
Is my Wix or Squarespace website legally compliant in the UK?
Not automatically, UK law requires your website to include a privacy policy, a cookie notice, clear terms and conditions, and specific business information. This includes details such as your registered company name and number if you’re a limited company. Most website builders include template pages for some of these, but they don’t check whether your content is accurate or complete. Use our free website compliance checker to see what your site has and what it’s missing.
