• Compliance
UK Cookie Rules Just Changed: What Your Website Actually Needs to Do Now
The ICO updated its cookie guidance in April 2026 and there's a new complaints deadline hitting in June. Most small business owners have no idea. Here's what changed and what you need to sort out.

If you’ve had an email from your cookie consent provider recently telling you something’s changed, you’re not imagining it. The rules did change. And if you’ve been ignoring it hoping it’ll sort itself out, it won’t.
The good news is that for most small business websites, the actual work involved is pretty small. The bad news is that a few things needed sorting and the deadline on one of them has already passed.
The Data (Use and Access) Act came into force in early 2026. The ICO updated its cookie guidance on 29 April. And from 19 June 2026, there’s been a new requirement around how businesses handle data protection complaints. Three things landing in quick succession, and none of them have been explained particularly well to the people who actually need to know.
If you’ve already read my GDPR guide for small businesses, this picks up where that left off. The GDPR stuff hasn’t gone away. This is on top of it.
What actually changed
The big change is the Data (Use and Access) Act 2025, which started rolling out in early 2026. It updated PECR (the Privacy and Electronic Communications Regulations), which is the bit of law that specifically covers cookies.
The short version: there are now five new exemptions where you don’t need to ask for cookie consent. And the maximum fines for getting cookies wrong have jumped significantly.
Let me break down the exemptions first, because they’re the part most people care about.
The five new cookie exemptions
Previously, you needed consent for almost everything except “strictly necessary” cookies. The new rules add five specific cases where consent isn’t required:
1. Analytics cookies (with conditions). If your analytics cookies are only used to measure how people use your website, and the data isn’t shared with third parties or used for any other purpose, you don’t need consent. This is a big deal. It means properly configured, privacy-respecting analytics can run without a cookie banner.
The catch: this only works if the analytics data stays with you. If you’re using Google Analytics, the data goes to Google, who can use it for their own purposes. So GA4 still needs consent. But tools like Plausible, Fathom, or Matomo (self-hosted) likely qualify.
2. Cookies needed to send a communication. If a cookie is technically necessary to transmit a message across a network, consent isn’t required. This was already broadly understood, but it’s now explicitly in the law.
3. Cookies the user specifically requested. If someone asks for a service and that service needs a cookie to work, you don’t need separate consent. Think shopping baskets, login sessions, language preferences. Again, mostly common sense, but now codified.
4. Security cookies. Cookies used to detect fraud, prevent attacks, or ensure the security of a service. Anti-bot protections, CSRF tokens, that sort of thing.
5. Software update cookies. Cookies used to check for and install updates. Less relevant for most small business websites, but there if you need it.
What this means in practice
If you’re running a small business website with privacy-friendly analytics (Plausible, Fathom, or similar), no advertising tracking, and no third-party widgets that set cookies, you might not need a cookie banner at all now.
That’s a genuine improvement. Cookie banners annoy visitors, slow down page loads, and for a lot of small business sites they were always overkill. If you can legitimately drop yours, do it.
But. And this is important. If you’re using Google Analytics, Facebook Pixel, embedded YouTube videos, third-party chat widgets, or any advertising cookies, nothing has changed for you. You still need consent. The banner stays.
Mixed-use cookies are the trap. If you set a cookie for analytics but that same cookie also gets used for advertising targeting, the analytics exemption doesn’t apply. The whole cookie needs consent. This is where a lot of the confusion is coming from. The exemptions are specific and conditional. You can’t just claim “analytics” and wave away the consent requirement.
The fines went up. A lot.
Under the old rules, the maximum fine for cookie violations was £500,000. Under the new rules, it’s £17.5 million or 4% of global annual turnover, whichever is higher.
Now, let me be realistic about this. The ICO isn’t going to fine a three-person landscaping firm £17.5 million for having a dodgy cookie banner. The fines are proportionate to the size of the business and the severity of the violation. But the ceiling being that high tells you the government is taking this more seriously than before.
The more practical risk for small businesses is the same as it’s always been: complaints. If a customer complains to the ICO about your cookie practices, they’ll investigate. And the ICO now has more teeth than it used to.
The June 2026 complaints requirement
This one is easy to miss and has a hard deadline.
Since 19 June 2026, if you process personal data (and if your website has a contact form, you do), you need a formal complaints procedure for data protection issues. Someone needs to be able to complain to you about how you’ve handled their data, and you need a documented process for dealing with that complaint.
That deadline has now passed. If your privacy policy doesn’t include this yet, add it today.
For most small businesses, it doesn’t need to be complicated. Add a section to your privacy policy that says something like:
“If you’re unhappy with how I’ve handled your personal data, you can contact me at [email address]. I’ll respond within 30 days. If you’re not satisfied with my response, you can complain to the ICO at ico.org.uk.”
That’s all most small businesses need. A contact point, a timeframe, and a pointer to the ICO for escalation.
What to actually do this week
Here’s the practical bit. If you’ve got a small business website, work through this:
Check whether you still need a cookie banner. Look at what cookies your site actually sets. If it’s just strictly necessary cookies and privacy-friendly analytics, you may be able to remove your cookie banner entirely under the new exemptions. If you’re not sure what cookies your site sets, open it in Chrome, press F12, go to the Application tab, and look under Cookies.
If you’re keeping the banner, check it actually works. I’ve audited probably 30 small business sites this year and more than half had cookie banners that didn’t do anything. The banner was there, but the tracking scripts loaded regardless of what the visitor clicked. That’s worse than having no banner, because it looks like you’re trying to comply while actively not complying. Test it yourself: decline all cookies, then check the Network tab in your browser’s developer tools to see if analytics scripts still load.
Update your privacy policy. Two things to add: a section on cookies that reflects the current rules, and a complaints procedure (required since 19 June). If your privacy policy still references the old PECR framework without the new exemptions, update the language. And add the complaints bit I mentioned above.
Review your analytics setup. If you’re running Google Analytics purely because it was set up years ago and nobody’s questioned it, this is a good time to ask whether you actually need it. For most small business sites getting under a thousand visitors a month, a tool like Plausible gives you everything you need without cookies, without consent requirements, and with a much simpler setup. I’ve been moving clients across for the past couple of years and not one has missed GA.
Check your third-party embeds. Embedded YouTube videos set cookies. Google Maps embeds can set cookies. Social media widgets set cookies. If you’ve got any of these on your site, they need to be covered by your consent mechanism or loaded only after consent is given. The lazy-load approach (loading a placeholder image until the visitor clicks) is a good workaround for embedded videos.
Stop paying for expensive cookie tools
I see a lot of small business owners paying £30, £50, even £100 a month for cookie consent management platforms. For a five-page business website, that’s almost always unnecessary.
If you do need a cookie banner, free tools like Cookiebot (free for sites under 100 pages) or open-source options handle it perfectly well. If your site is built properly, the implementation takes about an hour.
And if the new exemptions mean you can drop the banner altogether, that’s one less thing to maintain, one less thing to pay for, and a better experience for your visitors.
The honest summary
The cookie rules got a bit better for small businesses in some ways and a bit stricter in others. The new exemptions are sensible and might let you simplify your setup. The higher fines are unlikely to affect you directly, but they signal that the ICO is paying more attention. And the June 19 complaints procedure deadline is real and you should sort it before then.
None of this requires spending money. None of it requires a consultant. It’s an afternoon’s work for most small business sites, and it’s the kind of thing that’s easy to put off until you get that one email from a customer or, worse, the ICO.
Not sure whether your site’s cookie setup is still compliant? Drop me a message and I’ll take a look. Takes five minutes and there’s no charge. I’d rather tell you it’s fine than have you worry about it.
8 min read


