Post-Brexit, the UK has its own data protection framework — UK GDPR and the Data Protection Act 2018 — that mirrors EU GDPR in most respects while diverging in some important areas. Alongside this, PECR (the Privacy and Electronic Communications Regulations) governs cookies and electronic marketing, the Equality Act 2010 creates accessibility obligations, and the ICO (Information Commissioner's Office) is the national supervisory authority. Here is what every UK website needs to have in place.
Required legal documents
Privacy Policy is mandatory under UK GDPR if you process personal data of UK individuals. It must cover: who you are (controller identity and contact details); what data you collect and why; the lawful basis for each processing activity; who you share data with; how long you retain it; information about any international transfers; and a full statement of data subject rights including the right to complain to the ICO. UK GDPR mirrors EU GDPR Articles 13 and 14 requirements almost exactly. If you also serve EU customers, you will need to address both UK GDPR and EU GDPR — the frameworks are similar but have diverged on some points, including around the use of standard contractual clauses for international transfers.
Cookie Notice / Cookie Policy under PECR requires informed consent before non-essential cookies are set. The ICO's guidance is clear: consent must be freely given, specific, informed, and unambiguous. Cookie banners must offer an equally visible reject option. The ICO has issued enforcement actions against websites with deceptive consent interfaces.
Terms of Service should comply with the Consumer Rights Act 2015 (for B2C) and the Unfair Contract Terms Act 1977 (for B2B). Consumer contracts must be written in plain language, and unfair terms are not binding on consumers. For digital content and online services, the Consumer Rights Act 2015 provides specific remedies to consumers if the digital content does not meet quality standards.
ICO Registration — most organisations that process personal data as a controller must pay an annual data protection fee to the ICO (£40/year for small organisations, £60 for medium, £2,900 for large). Failure to register and pay the fee is a criminal offence and a primary trigger for ICO enforcement action against small businesses.
PECR and electronic marketing
PECR regulates three areas most relevant to online businesses: cookies and similar technologies; email and SMS marketing; and telephone marketing. For email marketing, PECR requires consent for marketing to individuals (B2C). The "soft opt-in" exception allows you to send marketing to existing customers about similar products, provided they were given a clear opportunity to opt out at the time of data collection and on every subsequent communication.
Accessibility obligations
The Equality Act 2010 requires service providers to make "reasonable adjustments" to avoid putting disabled people at a substantial disadvantage. Applied to websites, this creates an obligation to ensure your site is accessible to users with disabilities. The public sector is subject to stricter, more explicit accessibility regulations (WCAG 2.1 AA mandatory for government websites). For private sector businesses, the obligation is principle-based — but the Equality and Human Rights Commission (EHRC) has issued guidance confirming that inaccessible websites can constitute indirect discrimination.