Privacy Policy and Cookies

Under UK GDPR, your privacy notice must be written in clear, plain language and must include (at minimum):

• Identity and contact details of the data controller (your business) and, if applicable, your Data Protection Officer
• What personal data you collect (name, email, IP address, payment details etc.)
• Why you collect it — the purposes of processing
• Your lawful basis for each processing activity
• How long you retain personal data (or the criteria used to determine retention periods)
• Who you share data with — third parties, including analytics providers, payment processors, and marketing platforms
• Whether data is transferred outside the UK and the safeguards in place
• The rights of individuals and how to exercise them
• How to make a complaint to the ICO

Your privacy notice should be prominently linked from the footer of your website and from any forms that collect personal data. Keep it updated whenever your data processing practices change.

The use of cookies and similar tracking technologies is regulated by the Privacy and Electronic Communications Regulations 2003 (PECR), which implements the EU ePrivacy Directive in the UK. Under PECR:

• Strictly necessary cookies (required for the website to function — e.g. session cookies, shopping cart cookies) may be set without consent, but users must be informed about them
• All other cookies — including analytics, advertising, personalisation, and social media tracking cookies — require the user's prior, informed consent before they are set

This means analytics tools like Google Analytics 4, Meta Pixel, and LinkedIn Insight Tag cannot be loaded until the user has actively consented. Consent must be:

• Freely given — not obtained through a design that makes refusal harder than acceptance
• Specific — granular options (e.g. accept analytics cookies separately from marketing cookies)
• Informed — users must know what cookies do before they consent
• Unambiguous — a pre-ticked box does not constitute valid consent

A compliant cookie consent management platform (CMP) or cookie banner must:

• Present options clearly and with equal prominence — "Accept All" and "Reject All" (or equivalent) must be equally easy to click
• Not use dark patterns — such as pre-ticking boxes, making the "reject" option hard to find, or using confusing language
• Not set non-essential cookies before consent is obtained
• Store evidence of consent (what the user consented to and when)
• Allow users to withdraw consent at any time as easily as they gave it (usually via a "Manage cookies" link)

Many popular website platforms (WordPress, Squarespace, Shopify) have cookie consent plugins. However, it is your responsibility to configure them correctly. The ICO has published a cookie banner audit tool and guidance on common non-compliance issues.

Separate from the consent banner, you should also maintain a cookie policy listing each cookie your website sets, its purpose, and its expiry period. This can be part of your privacy policy or a standalone page.

The ICO actively monitors and enforces cookie compliance, particularly for higher-traffic websites. Common enforcement approaches include:

• Warning letters and informal complaints guidance for smaller organisations
• Formal reprimands (which are published publicly)
• Fines — the ICO has fined organisations for serious cookie non-compliance, particularly where large numbers of users were affected

The ICO's published guidance makes clear that common non-compliant practices — such as setting analytics cookies by default, providing only an "Accept All" button, or burying the opt-out in settings — are unlawful. Even small websites can receive complaints from users, which the ICO is obliged to investigate.

Regularly audit your website's cookies (a free tool such as Cookiebot's scanner can help) and ensure your CMP reflects the actual cookies being set. Many websites set more cookies than their owners realise, particularly when using third-party plugins.