Cookie consent and GDPR for small UK websites: complete guide

Cookie consent and GDPR for small UK websites: complete guide

If your website collects any personal data — even just an email address for a newsletter signup — you're subject to the UK General Data Protection Regulation (GDPR), and that means a cookie consent banner isn't optional, it's mandatory. But most small-business guidance on GDPR cookie banners conflates legal requirement with overselling cookie management platforms, leaves you guessing whether you actually need one, and never explains what happens if a regulator comes knocking.

This guide covers what you legally must do, what you can skip, and how to audit your own banner for compliance without spending money you don't have.

Do you actually need a GDPR cookie banner?

The short answer: almost certainly yes, but the scope might surprise you.

GDPR applies if you collect any personal data from EU / UK residents, and that includes analytics cookies. Google Analytics 4, Plausible, Fathom — even if you're not selling anything, if you're tracking visitors with a cookie or similar technology, you need consent before you set it (with narrow exceptions for "strictly necessary" cookies that make your site function, like a session cookie for a checkout or login).

The exceptions are tighter than people think. "Strictly necessary" means the cookie is essential for the service the user explicitly asked for. A preference cookie that remembers the user's language choice on their next visit might qualify if the alternative makes the site unusable. An analytics cookie that lets you optimise your site does not, because the user didn't ask for it and the site works fine without it.

If you're only collecting email addresses through a contact form, you don't need a cookie banner — you need a privacy notice and a legal basis for processing (usually "consent" via a checkbox, or "legitimate interest" if they contact you first). But if you're using Google Analytics or any tracking pixel, a banner becomes legally necessary.

A small business with a simple contact form, no analytics, and a hosted email signup might skip a banner altogether — though you still need clear privacy terms. Most small sites can't justify that bare simplicity: they want to know who's visiting, so a banner becomes practical.

What your banner must actually say

A legally compliant GDPR cookie banner for small businesses needs to cover four things:

Purpose and legal basis. Your banner must clearly explain what data you're collecting, why, and which law allows it. "We use cookies to improve your experience" is vague. Better: "We use Google Analytics to count visitors and track which pages are popular. We ask for your consent because this isn't essential to run the website."

Granular consent (usually). For anything beyond strictly necessary cookies, the user must be able to consent to each category separately. You can't bundle analytics, marketing, and preference cookies into one checkbox. If you only use analytics, you need one toggle for analytics; if you use analytics and a newsletter signup, you might have two toggles. The exception: strictly necessary cookies don't need consent, but they do need a checkbox the user can read (to understand what's happening).

Easy withdrawal. If someone consents, they must be able to withdraw that consent easily — ideally in the footer or settings, not buried in a privacy policy. Once they withdraw, you delete their analytics and stop firing tracking pixels.

Privacy policy link. Your banner must link to a full privacy policy that details how long you keep data, who you share it with (e.g. "Google processes Analytics data under their Data Processing Agreement"), and what rights the user has.

Dark patterns — making consent obvious and rejection hard, or pre-ticking consent boxes — are explicitly banned under UK GDPR guidance (specifically ICO guidance on consent). A small business that relies on dark patterns is exposing itself to regulatory action.

Free vs paid banner solutions: a cost reality

Most small businesses assume they need a paid cookie management platform (CMP) like Cookiebot, OneTrust, or Iubenda. These platforms handle consent, consent withdrawal, automatic cookie inventory, and sometimes AI-powered compliance scanning. For a single website with light traffic, the entry-level pricing is typically £10–30 per month.

A free alternative is Borlabs Cookie or Consentmanager's free tier, which give you a self-hosted or freemium banner with granular consent. These require you to manually audit which cookies you're firing and which legal bases apply — there's no magic. A developer or tech-savvy owner can set these up in a few hours.

The honest trade-off: paid CMPs cost money but save you time and reduce your risk if your cookie inventory changes (e.g. you add Facebook Pixel next month and forget to update your banner). Free or self-hosted banners are cheaper but depend on your diligence — if you add a new tracking tool and don't update the banner, you're non-compliant.

For a truly minimal setup, a custom banner hardcoded into your site costs nothing upfront (if you build it yourself or hire a developer like Sitewright), but you have to maintain it manually. If you're using a platform like WordPress, plugins like GDPR Cookie Consent are free and reasonably compliant; just ensure you audit your cookies before launch.

Cost comparison for a typical small business with analytics and a contact form:

• Paid CMP (Cookiebot, OneTrust): £10–25/month. Setup 1–2 hours if the platform auto-scans your site. Ongoing: automatic compliance as you add tools.
• Free self-hosted (Borlabs, Consentmanager free): £0/month, 4–8 hours setup and auditing per year. Risk: you miss something.
• Custom banner (hardcoded React or HTML): £0/month if you code it yourself, or £200–500 if a developer builds it. Ongoing: you update it manually when you add tracking.

None of these costs are mandatory; you choose based on your comfort level. A freelancer collecting email with no analytics can get away with no banner and just a privacy notice. A small ecommerce site using Stripe Checkout, Google Analytics, and Facebook Pixel should seriously consider a paid CMP or at minimum a carefully audited free one.

How to audit your banner and test for compliance

Before launch, run this audit yourself. You don't need a lawyer for a basic check.

Step 1: List every cookie and tracking tool on your site.

Open your site in a browser, open the DevTools Network tab (right-click → Inspect), refresh the page, and filter for "cookie" or look at the Storage/Cookies tab. Write down every cookie you see: Google Analytics, Stripe, Mailchimp, YouTube embeds, tracking pixels, session cookies.

Tip: use a free tool like cookieinspection.com or Wunderbucket to crawl your site and list cookies automatically. Even a rough inventory saves hours of guessing.

Step 2: Map each cookie to a legal basis.

Go through your list and ask: is this strictly necessary (the site breaks without it)? Or does it need consent?

• Session cookie for your checkout: strictly necessary.
• Google Analytics: needs consent.
• Stripe Checkout cookie: arguably strictly necessary during checkout, but you should still disclose it.
• YouTube embed: needs consent if the video loads automatically.

Step 3: Check your privacy policy.

Your privacy policy should name the specific tools (Google Analytics, Stripe) and explain how long you keep data. It should link to each platform's privacy policy. If you can't find this info, your audit has a gap.

Step 4: Test the banner's consent flow.

• Click "Reject all" or equivalent. Check that analytics doesn't fire (open DevTools Network and confirm Google Analytics requests don't appear).
• Click "Consent to all". Check that analytics fires.
• Withdraw consent via a settings link. Confirm analytics stops.
• Check that the banner doesn't re-ask consent on every page load (it should remember your choice in a cookie).

Step 5: Review the language.

Is the banner clear to a non-technical person? "We use cookies to enhance your experience" is vague. "We use Google Analytics to count how many people visit this page, so we know if it's useful" is clear.

This audit takes 2–4 hours for a small site. If you get stuck, a developer can do it for you, but you should understand the basics of your own site's compliance.

What to do if a data protection authority contacts you

This doesn't happen often to small businesses, but it does happen. The UK Information Commissioner's Office (ICO) has issued fines ranging from £5,000 to £17.5 million, and whilst the larger penalties are for large-scale breaches, a regulator can still open an investigation into a small business for banner non-compliance.

If you receive an inquiry (often via email asking for information):

1. Do not ignore it. Ignoring a data protection authority inquiry is worse than non-compliance; it suggests obstruction.

2. Gather your evidence. Pull your privacy policy, banner screenshots, cookies list, and any consent logs you have. Document when you fixed any issues (e.g. "We added proper consent on 15 September" helps show good faith).

3. Respond honestly and promptly. You don't need a lawyer for an initial response, but if the inquiry escalates, consult one. Be truthful about any gaps; regulators respect businesses that fix problems voluntarily more than those that hide them.

4. Fix the issue immediately. If your banner is non-compliant, fix it before responding. If you're missing a privacy policy, write one. This demonstrates good faith and often shortens the inquiry.

5. Keep records. Document your remediation. If the ICO investigates further, you have evidence you took it seriously.

Regional variation note: The ICO is the UK's authority, but if your website is visible to EU residents (which it is if you don't geo-block), national regulators in France, Germany, Ireland, or other EU countries can also investigate. The UK GDPR is very similar to EU GDPR, so a banner compliant under UK rules is usually compliant in the EU too. However, France's CNIL has been stricter on consent for Google Analytics (requiring explicit consent, not implied), and Germany's data protection authorities have ruled that certain cookie categories must be easier to reject than accept. For a small business, the safest approach is to follow the strictest interpretation: make rejection as easy as consent, and explicitly name tools rather than being vague about "analytics partners."

Most small-business investigations close with a warning or a small fine (£500–2,000 range) once you fix the issue. A regulator's goal is compliance, not punishment.

Converting visitors without dark patterns

The uncomfortable truth: a GDPR-compliant banner with easy rejection tanks your consent rate compared to a dark-pattern banner that pre-ticks boxes or makes rejection hard.

A compliant banner where "Reject all" is as prominent as "Consent" and consent is granular might see a 20–35% consent rate for analytics. A dark-pattern banner (rejected by the ICO) might hit 70–80%. That's a real business trade-off.

But there's an honest middle ground. You can optimise for consent legitimately:

• Default to the strictest cookies only. Your banner consents to strictly necessary by default (no user action needed). Everything else requires explicit opt-in.
• Explain the benefit. Instead of "Analytics cookies," write "We use Google Analytics to understand which pages are most helpful, so we can improve them." Users are more likely to consent if they understand why.
• Make consent easy, but not automatic. A large "Yes, I'm happy" button next to a smaller "Only essential" button is fine; pre-ticking the "Yes" box is not.
• Offer a reason to consent. Some businesses see better consent rates by offering a benefit: "Consent to marketing cookies and get 10% off your first order." This is transparent and fair.
• Use a layered banner. A minimal banner on first visit ("We use cookies") with a link to full settings improves consent rates because it's less intrusive.

When you weigh the legal risk of non-compliance against a slightly lower consent rate, compliance always wins. A 25% analytics consent rate is better than a 70% rate plus a regulator fine.

Building compliance into your site from the start

If you're building a new website, start your project with a clear view of what data you'll collect. Before your site goes live, you should have:

• A privacy policy (you can use a template from GDPR.eu or Termly).
• A list of every cookie and tracking tool.
• A cookie banner (free or paid, self-hosted or SaaS).
• A way for users to withdraw consent.

At Sitewright, when we build a site, we wire up analytics (Google Analytics 4, Plausible, or Fathom) and often integrate a contact form or newsletter signup. We recommend a compliant banner from the start rather than retrofitting one later. If you're using a paid CMS platform (even WordPress), the effort to add a banner is small before launch but annoying after.

The smallest cost-saving move: write your privacy policy and choose your analytics tool before you build the site. Once you know what data you're collecting, the banner becomes straightforward.

A UK small business that respects its visitors' data and follows GDPR cookie banner guidance honestly builds trust, avoids regulatory headaches, and sleeps better at night — even if consent rates dip slightly.