Does My Website Need a Cookie Policy?
Short answer: if your website uses a contact form, Google Analytics, embedded videos, a booking tool, or almost any third-party feature — yes, you almost certainly do.
Most UK business websites use cookies, often without the owner realising it. If yours does, and you don't have a proper cookie policy and consent mechanism in place, you're not meeting your legal obligations. The good news is that it's not complicated to fix once you understand what's required.
What are cookies, and why should you care?
Cookies are small text files that websites store on a visitor's device. Some are essential — they keep the site working properly, like remembering what's in a shopping basket or keeping someone logged in. Others are used for analytics, advertising, or tracking how people use the site.
The reason this matters for business owners is straightforward: UK law requires you to tell visitors what cookies your site uses and, for most types, get their consent before those cookies are set. If you're not doing that, you're technically in breach of the rules — and the regulator, the Information Commissioner's Office (ICO), has the power to take action.
What does UK law actually require?
Cookie rules in the UK come from three overlapping pieces of legislation:
The Privacy and Electronic Communications Regulations (PECR) — this is the main cookie law. It says you must give visitors clear information about what cookies you use and why, and you must get their consent before setting any non-essential cookies on their device.
The UK GDPR — this governs how personal data collected via cookies is processed. If your cookies collect any personal information (and most analytics cookies do, because they capture things like IP addresses), UK GDPR applies on top of PECR.
The Data Protection Act 2018 — this supplements the UK GDPR with additional provisions specific to the UK.
In practice, what this means for a business owner is:
You need a cookie policy that explains what cookies your site uses, what each one does, and how long it lasts. You need a cookie consent banner that appears when someone first visits your site, giving them a genuine choice to accept or reject non-essential cookies. And critically, non-essential cookies must not be set until the visitor has actively consented. Pre-ticked boxes and "by continuing to use this site you agree" messages are not valid consent.
The only cookies exempt from the consent requirement are those that are strictly necessary for the site to function — things like session cookies that keep a shopping basket working, or security cookies that protect against fraud.
Does my site actually use cookies?
Almost certainly, yes. Even a simple business website is likely to set cookies if it uses any of the following:
Google Analytics or any other analytics tool. A contact form. Embedded YouTube or Vimeo videos. Social media sharing buttons. A live chat widget. A booking or reservation system. Google Maps embedded on a contact page. Google Fonts loaded from Google's servers.
Many website platforms also set their own cookies for things like caching, user preferences, and session management. If your site is built on WordPress, Wix, Squarespace, Webador, or Shopify, it is almost certainly using cookies.
The only way to know for sure is to scan your site and check.
What does a cookie policy need to include?
A proper cookie policy should explain:
What cookies your website sets, listed individually. What each cookie does, in plain English. Whether each cookie is set by you (first-party) or by a third-party service. How long each cookie lasts. How visitors can manage or withdraw their consent.
It should be written in clear, straightforward language — not buried in legal jargon. The ICO expects cookie information to be genuinely accessible and understandable to an ordinary person, not just technically present on the site.
Your cookie policy should be linked from your website footer and referenced in your cookie consent banner so visitors can find it easily.
What about the cookie consent banner?
A cookie consent banner is the popup or bar that appears when someone first visits your site. To be compliant, it needs to:
Appear before any non-essential cookies are set. Give the visitor a genuine choice — accept, reject, or manage preferences. Not use dark patterns or tricks to push people toward accepting (like making the "accept" button large and colourful while hiding the "reject" option). Make it as easy to reject cookies as it is to accept them. Remember the visitor's choice so they're not asked every time they visit.
The critical point that most small business websites get wrong is timing: non-essential cookies must be blocked until consent is given. Many sites show a banner but set all cookies immediately regardless of what the visitor clicks. That doesn't count as valid consent.
What happens if I don't have a cookie policy?
The ICO takes a risk-based approach to enforcement. They're more likely to act on complaints, and they tend to prioritise businesses that are collecting large amounts of personal data or using particularly intrusive tracking.
That said, for any UK business, not having a cookie policy and consent mechanism when your site uses non-essential cookies is a compliance gap. The ICO has the power to issue fines of up to £17.5 million or 4% of annual global turnover, though enforcement against small businesses has typically involved warnings and improvement notices rather than headline fines.
The bigger practical risk for most small businesses is reputational. Customers are increasingly aware of privacy. A site with no cookie information and no consent banner looks less professional and less trustworthy than one that handles it properly.
How to check your own site
If you're not sure whether your website has a cookie policy, a consent banner, or whether your cookies are being blocked before consent — you can check. GoWebCheck scans your website across seven areas including GDPR and cookie compliance, and tells you exactly what's missing, why it matters, and how to fix it.
It takes 60 seconds and you'll get a clear, plain-English report.
GoWebCheck provides automated website health checks for informational purposes. It is not a substitute for professional legal or compliance advice.