Cookie law and privacy, a small business guide to compliance with our recommended tools

Back in May 2018, there was a big change in Europe for how our information is protected online. The GDPR regulations came in, with the aim of keeping your personal info safe when using the internet.

What we will cover

These rules are important because they give you more say in what happens to your information and make sure that companies are careful with it, for small businesses, following these rules can be tricky. 

In this guide, we’ll talk about the impact of these rules, what services have popped up over the last few years, and share some tools to help small businesses stay compliant.

The massive change in 2018 was about alerting website users to cookies, cookies are like tiny bits of information that websites use to remember things about you.

Why does every website ask for cookies?

Websites ask for cookies to enhance your browsing experience by remembering your preferences and activities on their site. While regular cookies serve this purpose directly, third-party cookies, often from advertisers or social media platforms, track your online behaviour across different sites for targeted advertising. 

Because of concerns about privacy, regulations like GDPR require websites to obtain your consent before using cookies, especially third-party ones. 

These rules say websites must ask if it’s okay to use cookies, especially the ones that follow you around. When you visit a website, you might see a pop-up asking if it’s okay to use cookies. 

This lets you decide if you want them to remember your stuff or not. It’s like giving a thumbs up or thumbs down to say if it’s okay. These rules help keep your information safe and let you choose what happens with it online.

Cookie law has changed our initial interaction with websites

What are cookies on a website?

Cookies are generally split up into two main categories: first-party cookies and third-party cookies. We can envisage these as the angel and the devil sat on either shoulder.

First-party cookies: Imagine these cookies as little helpers inside a website. They remember the settings and things you like when you visit a specific website, to make your time on that website more fun and personalised.

Third-party cookies: These cookies are a bit like spies from other places. They’re not from the website you’re visiting; instead, they’re sent by other companies that have paid for advertising. 

These cookies follow you around the internet, keeping track of what you do so they can show you ads for things you might be interested in, based on what you’ve looked at before, cookie law is there to protect our data from being moved around without our consent.

Does my website use cookies?

Most likely. If it is WordPress, certainly.

First-party cookies for Content Management Systems like WordPress will enable things like logging in, suggested content and preferences. 

Then if you choose to add plugins they will also be adding cookies of their own, these could be first or third party.

Here is some common website functionality that will use cookies:

  • Authentication: Websites use cookies to remember if you’re logged in or not. This way, you don’t have to log in every time you visit a new page on the site.
  • Preferences: Cookies can store your preferences, like language or region settings, so the website can show you content that’s relevant to you.
  • Analytics: Websites use cookies to gather information about how visitors use the site. This helps them understand things like which pages are popular, how long people stay on the site, and what links they click on.
  • Shopping carts: When you add items to your shopping cart on an online store, cookies help remember what you’ve added so you can continue shopping or proceed to checkout later.
  • Personalisation: Cookies can track your browsing behaviour to provide personalised content and recommendations. For example, they might suggest articles to read based on what you’ve previously looked at.
  • Advertising: Advertisers use cookies to track your online activity and show you targeted ads based on your interests and browsing history.

Luckily, there are lots of free tools to help you find out. If you google “cookie scanner”, you will find services like CookieYes, Termly, CookieBot etc… 

These will scan your website and give you feedback on what cookies are being used, some of them will tell you what 3rd parties they are coming from and what they are used for.

This information not only needs to be communicated through a cookie policy, you also need to obtain permission from the user, hence every website has a popup asking for your consent (more on that bit later).

Once you have a list of cookies you will need to communicate this to your users in the form of a policy. Termly in particular will not only identify the cookies but help you build the policy by asking you to sign up and fill out a questionnaire (it’s free currently).

Do I need a cookie policy on my website?

If you have a very static HTML website and you don’t wish to track the performance of any adverts or the traffic that uses it then no. If you have a WordPress website with plugins installed, then the answer is yes, it is the law to have a cookie policy. 

And those tools above will help, once they have scanned the website for cookies some of them will offer to write your policy documents and give you a widget to display on your website, for free or a nominal monthly fee. 

Some work better than others, and some require being correctly set up to ensure that they actually do what they say (more on that later).

What should be included in a small business cookie policy?

You need to outline the following:

  • Explanation of Cookies: Explain what cookies are and how they are used on your website.
  • Why You Use Cookies: Outline first-party and third-party cookies and their specific functionality, eg personalisation/advertising. 
  • Consent for Cookies: Give the user the choice whether to accept cookies. Outline the options for them to manage the cookies.
  • Other Companies’ Cookies: Sometimes, other companies will use cookies on your website. Be transparent about them and provide links to their privacy policies.
  • Contact information: Offer support for any questions or concerns about our cookies or privacy practices, nominate a person as a point of contact and share their contact details.

Is it a legal requirement to have a privacy policy on a website?

Yes if you gather data. 

And you are now the proud owner of the title Data Controller, it’s a legal responsibility to be responsible with this data and you could be fined up to 20 million euros, or up to 4 % of your total global turnover, whichever is higher.

Luckily, the services above can help with this document, or you could use a service like Simply Docs to pay a nominal fee for a boilerplate template that you can customise.

It’s a good idea to have a go and then talk to someone who knows the law to make sure you are compliant.

Even if not legally required, having a privacy policy demonstrates your commitment to protecting users’ privacy and will help build trust with your audience.

What should be included in a small business privacy policy?

You need to outline the following:

  • Data Collection: Explain what personal information your business collects and how it’s gathered.
  • Purpose of Collection: Clearly state why you collect this information and how it’s used.
  • Data Protection: Describe the measures taken to safeguard personal information from unauthorized access or disclosure.
  • User Rights: Inform users about their rights regarding their data and how they can exercise them.
  • Contact Information: Provide a way for users to reach out with questions or concerns about their privacy.

Data processor vs data controller

A data controller decides how and why personal data is collected, stored, and used. They’re in charge of making sure everything follows the rules and laws about data protection. A data processor is a third party that handles the data according to these instructions. 

They might store the data, analyze it, or do other tasks with it, but they always follow the controller’s rules. So, while the controller decides what happens with the data, the processor makes sure it happens safely and correctly.

As a small business, you may have one or more processors, for example, if your website holds personal data (a database of contact form submissions for example), then your web agency is a processor of your data and you should have a contract in place to ensure that they will follow your guidance.

If you are a Vu client then you will have signed a Data Processing Agreement during the onboarding process. 

cookie law
Find out what your website must legally display 

Website legal requirements in the UK

In the UK, websites must comply with various legal requirements like E-commerce Regulation, Data Protection & Cookie Laws. They must also adhere to Intellectual Property Rights & Anti Discrimination Laws and make “reasonable adjustments” to accommodate people with disabilities under the WCAG guidelines.

For most basic websites, it sounds more onerous than it is. With a Cookie & Privacy policy now in place you just need to ensure some basic information is in the right place and make sure there is a legally compliant Cookie Widget installed (we will get to that next).

legal information needed on your website

In accordance with the Electronic Commerce (EC Directive) Regulations 2002 and the Companies Act 2006. Here’s a list of key legal information that should be included on your website.

The standard practice is to ensure the following is in your website footer:

  • Cookie & Privacy Policy links
  • Company name
  • Registered number
  • Registered office address
  • VAT number of business, if applicable
  • Details of any trade body or regulator registration

The other information that is required, but can be a lot to fit in the footer, so is often in your policy documents and on your contact page:

  • Contact details, including an email address
  • Details of how to contact the business by non-electronic means

Of course, you need your privacy and cookie policies, and for them to be accurate. So be sure to create a review process (once a year to run a scan of your website and update your cookies should be a minimum).

To ensure accuracy of reporting the cookie use you can use a portal like the Cookie Database.

You may also consider a few other documents:

  • Terms of Use: Set of rules and guidelines that govern the use of a website or service, including user rights, responsibilities, and limitations.
  • Acceptable Use Policy: Similar to the above, it defines the permitted and prohibited uses of a product or service.
  • End-User License Agreement (EULA): Legal contract between a software developer and the end user, outlining the terms and conditions for using the software.
  • Terms and Conditions: An agreement between a business and its customers, covering user obligations, intellectual property rights, disclaimers, and limitations of liability.
  • Disclaimer: A statement that limits the legal liability of a website by specifying the scope and limitations of information provided, often addressing accuracy, reliability, and legal obligations.

E-commerce website legal requirements

In the UK, the laws governing e-commerce and online business practices include the Consumer Rights Act 2015, the Electronic Commerce (EC Directive) Regulations 2002, and the Data Protection Act 2018, among others. 

This outlines regulations related to data protection, consumer rights, and fair trading practices to ensure information is kept safe, customers are treated fairly, and traders are being honest about how they sell things.

Here’s some examples of what will be required:

  • Terms of Sale: Governs sales transactions, including pricing and conditions, establishing mutual understanding between buyers and sellers.
  • Shipping Policy: Explains shipping methods, costs, and delivery times, ensuring clarity for customers.
  • Return and Refund Policy: Outlines return procedures, eligibility criteria, and refund processes, providing confidence to buyers.
  • Payment Terms: Specifies accepted payment methods, billing cycles, and any associated fees, facilitating smooth transactions.
  • Product Warranty: Describes warranties, coverage, and claims procedures, offering assurance to customers.

Some of the policies and documents may come as part of setting up the cookie widget, or are easily findable online with a Google search.

Now let’s look at how to set up a cookie consent widget.

How to add cookie consent to a website (and be compliant with cookie law)

There are a whole host of providers out there that say they can make you legally compliant, and that’s true they can. The problem is if the assumption is that you just install it and you’re covered, then they won’t.

If you use a cookie scanner like those above, on someone else’s website, you will see that it may well have entirely different cookies. The reality with a WordPress website is that they could all be entirely different, and with each plugin you install you can be adding new cookies and falling uncompliant.   

So, you need to work with a provider that will help you define and block cookie scripts if the user chooses to do so.

If you are using WordPress, then there’s loads of plugins out there, from free to a few pounds a month. Some of them like Cookiebot & CookieYes will scan your site and then build the configuration. Others may not be compliant and will just say “our site uses cookies”.

In order to set up your widget effectively, you will need to define the cookies by category (see list above). In the below example, we have analytical (for use with Google Analytics). You may have advertising, marketing etc…

setting up a cookie widget

You will need a quick description of what they do so users can make an informed choice. 

Then you will have either On Accept/On Revoke callback. This is where you define the script that gets run when the user accepts or declines them. 

This process will need to be run for every cookie that you have, which means researching the scripts. 

Here’s a few pieces of guidance from common cookie providers:



MS Clarity










Google Ads & Consent Mode v2

One of the big updates for 2024 that Google are making is around its use of 3rd party cookies, through an update called Consent Mode v2. They are going to stop Ad accounts for those who haven’t set up their widgets to correctly block these cookies.

With Consent Mode v2 updates, it is making sure you are set up how we have outlined in this document, ensuring websites are asking more specific questions. 

We can say, “Do you want us to use cookies for ads?” or “Can we use cookies to remember your preferences?” This gives users more control over their privacy settings.

The reason this is important is that Google are becoming non-negotiable about it, and here’s a list of their trusted cookie widgets to help you get set up. 

If you use a widget to do this then they often have a specific setting for this mode that you can toggle on or off.

Once you have got your widget installed and configured, you can test if it is legally compliant…

How Do I Test Cookie Blocking Implementation?

Testing cookie blocking implementation involves several steps to ensure that the website behaves as expected when cookies are blocked, added to that, like all things web different browsers may behave differently, so to be entirely thorough you will need to double check the most common browsers

At the time of writing, Chrome holds the market share, so I’m going to run through step by step. 

  1. First, open up an incognito window and head to your website… step by step guide to checking for cookies   
  2. Your Cookie widget should appear because incognito window holds no history, Right-click on the website and choose “inspect” – a window full of code should appear, you can drag this up to take up more space if you need to.
  3. Click on “application” along the top, and under “cookies” down the side, select your website. It will give you a list of the cookies that are “authorised”.step by step guide to checking for cookies
  4. There is a little button with three lines and a cross, this will clear the list and you can reload the page to test what is loading without consent. step by step guide to checking for cookies
  5. Now you can toggle your settings on the widget and see what cookies are being authorised. There should only be functional 1st party cookies loaded without consent, and as the user authorises the rest they should load.

If you aren’t sure what the cookie is then remember to cross-reference it in the Cookie Database.

CookieYes seems to be the simplest to set up and configure, though all of these services tend to have a limit on their free plan to a set amount of views or web pages, so pick carefully if you plan on scaling your site. 

And if this seems a little technical then just get in touch with your developer and ask them to price for this work.

So is my website legally compliant now?

If you have a simple website this guide will likely be enough to ensure you are compliant with UK cookie law. At the time of writing, there are still websites we encounter every day that are falling foul of this, but with the increase of data use in the modern world it’s only a matter of time until this comes under more scrutiny and regulation.

It’s impossible to say for sure, because websites (in particular WordPress) can be taken in so many different directions with various plugins and functionality, but if you do your research and test your cookie widget regularly then you are showing a commitment to your customers and website users.

This is not a comprehensive guide for GDPR, which covers other applications you may have apart from websites, and your offline data footprint. 

So, whether it’s storing customer information in physical files, processing data on paper forms, or using offline databases, GDPR requires organizations to ensure the same level of protection and accountability for personal data as they would with online data processing. 

This includes obtaining proper consent, implementing security measures, respecting individuals’ data rights, and maintaining records of data processing activities.

If you aren’t sure how compliant you are and it is a concern, then it may be worth considering a data audit. If you have any questions then feel free to get in touch and discuss this with us. We aren’t qualified to offer legal advice but we can certainly help guide you to the right places to look and the right questions to ask.

Do you know anyone who may be interested in this project?

Click to share: