This article contains affiliate links — we may earn a small commission at no cost to you. Our recommendations are based on independent analysis.

UK website compliance checklist (2026)

By Toby · Published April 2026 · Last updated April 2026

Running a business website in the UK means navigating a patchwork of legal requirements. From data protection and cookie consent through to accessibility and company identity rules, the obligations are real — and the consequences of getting them wrong range from ICO fines to lost customer trust.

This checklist covers the eight key areas every UK business website should address. It is designed to be practical: work through each section, tick off the items, and follow up on anything you are missing. Where a category has dedicated tools that can help, we have linked to our detailed comparisons.

If you want to check everything at once, ComplianceFix runs an automated 8-point audit across all of these categories and generates a prioritised action plan. It is the fastest way to identify gaps you might not spot manually.

1. Cookie consent (PECR Regulation 6)

The Privacy and Electronic Communications Regulations 2003 (PECR) require you to get informed consent before setting any non-essential cookies on a visitor's device. The ICO has been increasingly active in enforcing this — and simply having a banner is not enough if it does not function correctly.

A consent banner appears before any non-essential cookies are set. Analytics, marketing, and social media cookies must not fire until the visitor has actively opted in.

The banner offers a genuine choice. "Accept all" and "Reject all" must be equally prominent. Pre-ticked boxes do not count as valid consent under PECR or UK GDPR.

You maintain a cookie policy that lists every cookie by name, explains its purpose, states its duration, and identifies the provider. This should be easily accessible from both the banner and your footer.

Visitors can withdraw consent at any time. There must be a persistent way to reopen cookie preferences — not just on the first visit.

Consent records are stored as evidence. If the ICO asks you to demonstrate that a specific visitor consented, you need a log with timestamps.

For a detailed comparison of consent management platforms, see our guide to the best cookie consent tools for UK businesses.

2. Privacy policy (UK GDPR Article 13)

Every website that collects personal data needs a privacy policy. Under UK GDPR Article 13, you must provide specific information at the point of data collection. A vague or templated policy that does not reflect your actual practices is a compliance risk.

Your privacy policy names the data controller (your business), with a contact address and, if applicable, your Data Protection Officer's details.

It explains the lawful basis for each type of processing you carry out — whether that is consent, legitimate interest, contractual necessity, or legal obligation.

It lists the categories of personal data you collect, who you share it with (including specific third parties like Google Analytics, payment processors, or email marketing platforms), and whether any data is transferred outside the UK.

Data retention periods are stated for each category of data. Generic statements like "as long as necessary" do not satisfy the ICO's expectations.

Individual rights are clearly explained: the right to access, rectify, erase, restrict processing, data portability, and the right to object. Include instructions on how to exercise each right and how to complain to the ICO.

Need help drafting one? See our comparison of the best privacy policy generators for UK businesses.

3. Terms and conditions

While not always a strict legal requirement for every type of website, terms and conditions are strongly advisable — and for online sellers, certain disclosures are mandatory under the Consumer Contracts Regulations 2013 and the Consumer Rights Act 2015.

If you sell online, your terms include pre-contract information: full description of goods or services, total price including taxes, delivery costs, payment methods, and the 14-day cancellation right.

Your terms specify which law governs the contract (England and Wales, Scotland, or Northern Ireland) and which courts have jurisdiction.

Limitation of liability clauses are reasonable and do not attempt to exclude liability for death, personal injury, or fraud — which cannot be excluded under UK law.

If you operate a platform or marketplace, your terms clearly explain the relationship between your business, the buyer, and any third-party sellers.

4. Accessibility (Equality Act 2010 + European Accessibility Act)

The Equality Act 2010 requires service providers to make reasonable adjustments for disabled people, and courts have confirmed this extends to websites. From June 2025, the European Accessibility Act introduces additional requirements for businesses selling products or services into the EU. The practical standard to aim for is WCAG 2.1 Level AA.

All images have meaningful alt text. Decorative images use empty alt attributes (alt="") so screen readers skip them.

The site is fully navigable by keyboard alone. All interactive elements — links, buttons, form fields, menus — are reachable and operable without a mouse.

Colour contrast ratios meet WCAG 2.1 AA standards: at least 4.5:1 for normal text and 3:1 for large text. Do not rely on colour alone to convey information.

Forms have associated labels, clear error messages, and logical tab order. Required fields are identified in a way that does not depend solely on colour.

Video content has captions or transcripts. Audio-only content has a text alternative.

For automated scanning and remediation tools, see our accessibility tools comparison.

How does your website score?

Free 8-point audit covering compliance, SEO, security, and AI readiness.

Scan your website free →

5. Security (UK GDPR Article 32)

Article 32 of UK GDPR requires you to implement appropriate technical and organisational measures to protect personal data. For a website, this starts with foundational security measures that every business should have in place.

Your site uses HTTPS with a valid SSL/TLS certificate. All HTTP traffic should redirect to HTTPS automatically. Check that your certificate has not expired and covers all subdomains you use.

Security headers are configured: at minimum, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, and Referrer-Policy. These protect against common attacks like cross-site scripting and clickjacking.

Your CMS, plugins, and dependencies are up to date. Outdated WordPress plugins are one of the most common attack vectors for small business websites.

You run regular vulnerability scans. Automated scanning can catch issues like exposed admin panels, directory listing enabled, or known software vulnerabilities before an attacker finds them.

6. Business identity (Companies Act 2006)

The Companies Act 2006 (Sections 82 and 1139) and the Company, Limited Liability Partnership, and Business (Names and Trading Disclosures) Regulations 2015 require specific information to be displayed on your website. These are simple to implement but frequently missed.

Your registered company name is displayed (not just your trading name, if they differ).

Your company registration number and registered office address are visible. A footer is the standard location.

If you are VAT-registered, your VAT number is displayed.

If you are a limited company, you state where the company is registered (e.g., "Registered in England and Wales").

Contact details are easily findable: a physical address (not just a PO box for consumer-facing businesses), email address, and ideally a phone number.

7. SEO foundations

Search engine optimisation is not a legal requirement, but it directly affects whether potential customers can find your business. These are the technical foundations that every site should have in place — without them, even excellent content will underperform.

Every page has a unique, descriptive title tag (50-60 characters) and a meta description (120-155 characters) that accurately summarises the page content.

Your site uses a clean heading hierarchy: one H1 per page, followed by H2s and H3s in logical order. This helps both search engines and screen readers understand your content structure.

Core Web Vitals are in the green zone: Largest Contentful Paint under 2.5 seconds, Interaction to Next Paint under 200 milliseconds, and Cumulative Layout Shift under 0.1.

Structured data (schema markup) is implemented for your business type — at minimum, LocalBusiness or Organisation schema, plus any relevant product, review, or FAQ schema.

Your site has an XML sitemap submitted to Google Search Console and Bing Webmaster Tools, and a robots.txt file that does not accidentally block important pages.

For tools that help with technical SEO, see our guide to the best SEO tools for UK small businesses.

8. AI search readiness

AI-powered search engines — including Google AI Overviews, ChatGPT, and Perplexity — are becoming a significant source of traffic and brand visibility. Optimising for AI search is not yet a legal requirement, but it is quickly becoming a competitive necessity.

Your robots.txt file is configured to allow access from AI crawlers you want to support (such as GPTBot and Google-Extended) while blocking those you do not. This is an active choice, not something to leave to defaults.

FAQ content is structured with clear question-and-answer formatting. AI search engines heavily favour content that directly answers specific questions, and FAQ schema markup helps them identify it.

Your pages include comprehensive schema markup — particularly FAQPage, HowTo, and Article schemas — so AI engines can parse your content accurately and attribute it to your business.

Content is written in clear, authoritative language with specific claims and data points. AI engines tend to surface content that demonstrates expertise and provides concrete information rather than vague generalities.

For a deeper look at AI search strategy, see our guide to AI search optimisation for UK businesses.

Using an all-in-one compliance scanner

Working through this checklist manually is entirely possible, but it takes time — and some issues (like misconfigured security headers or cookies firing before consent) are easy to miss without automated scanning.

ComplianceFix scans all eight categories in this checklist automatically and generates a prioritised report with specific, actionable recommendations. It is designed for UK small businesses and checks against UK-specific regulations including PECR, UK GDPR, the Companies Act, and the Equality Act.

Whether you use an automated tool or work through this checklist manually, the important thing is to actually do it. Most compliance issues are straightforward to fix once you know about them — the risk comes from not checking in the first place.

Check your own website

Get a free personalised report with specific recommendations for your business.

Scan your website →

Frequently asked questions

What regulations apply to UK websites?

UK business websites must comply with the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulations 2003 (PECR), the Companies Act 2006, the Equality Act 2010, and the European Accessibility Act (from June 2025). If you sell goods or services online, the Consumer Contracts Regulations 2013 and the Consumer Rights Act 2015 also apply.

How often should I review my website's compliance?

At minimum, review your website compliance quarterly. You should also review it whenever you add new tracking scripts, change your data processing activities, update third-party integrations, or when regulations change. Setting up automated monitoring with a tool like ComplianceFix means issues are flagged as they arise rather than waiting for a manual review.

Can I handle website compliance myself?

Yes, most small business owners can handle the basics themselves using this checklist. The key areas — cookie consent, privacy policy, business identity details, and SSL certificates — are straightforward to implement. Accessibility can be more technical, and you may want specialist help for complex web applications. Automated scanning tools can identify gaps you might miss in a manual review.

What happens if my website isn't compliant?

The consequences vary by regulation. The ICO can issue fines of up to £17.5 million or 4% of annual global turnover for serious UK GDPR breaches. PECR breaches can result in fines up to £500,000. Beyond fines, non-compliance can lead to enforcement notices requiring you to change how you process data, reputational damage, loss of customer trust, and legal action from individuals whose rights have been breached. The Equality Act can also lead to civil claims for inaccessible websites.