The Cookie Rules Changed and You Probably Missed It

If your website has one of those cookie popups that covers half the screen and makes you feel like a data criminal every time someone visits, there is actually some good news. The law changed in February and most small business owners missed it entirely.

The bad news is that the fines for getting cookies wrong just went up by a factor of 35. And there is a new legal deadline on the 19th of June that nobody is talking about.

Let me unpack both.

What changed in February#

The Data (Use and Access) Act took effect on the 5th of February 2026. It is the most significant change to UK data protection law since Brexit, and it rewrites the rules on which cookies need consent.

Under the old rules, virtually every cookie on your website needed explicit opt-in consent from the visitor before it could be set. Analytics cookies, preference cookies, even the cookie that remembered someone's language or accessibility settings. If you ran Google Analytics, technically you needed the visitor to click "accept" before it could track anything.

In practice, most small businesses either ignored this completely or bolted on one of those banner plugins and hoped for the best. Neither approach was legal, but the ICO had bigger fish to fry.

The new law carves out clear exemptions. These cookies no longer need opt-in consent:

Analytics cookies used purely for measuring site traffic, as long as the data stays with you and is not fed into advertising.

Functionality cookies that remember user preferences like display settings, accessibility options, or form inputs.

Security cookies used for fraud prevention, device security, or protecting user data.

That covers most of what a typical small business website actually uses. If your site runs basic analytics to see how many people visited last month and which pages they looked at, you no longer need to ask permission for that.

You still need to tell people these cookies exist, and you need to give them a way to opt out. But you do not need to block the cookies until someone clicks a button. That is a meaningful simplification.

What still needs consent#

Anything related to advertising, tracking across websites, or sharing data with third parties still requires explicit opt-in consent. If you run Google Ads remarketing, Facebook pixel tracking, or any tool that follows visitors across other sites, the old rules still apply in full. The visitor needs to actively agree before those cookies fire.

The simple test: is this cookie here to make my website work better for the person using it? Then it probably qualifies for the new exemption. Is it here to track them for marketing purposes? Then you still need consent.

The fines got serious#

Here is where it gets less comfortable. The same law that relaxed the cookie consent rules also raised the maximum fine for getting them wrong. The old limit was £500,000. The new limit is £17.5 million, or 4% of your global annual turnover, whichever is higher.

That is a 35-fold increase.

The ICO is not going to fine a sole trader £17.5 million for a dodgy cookie banner. But the direction of travel is clear. The regulator reviewed 200 of the top 1,000 UK websites last year and found 134 of them non-compliant. It issued 17 preliminary enforcement notices. And it has publicly said enforcement will expand beyond large publishers in 2026.

If your website has no cookie controls at all, you are technically in breach of the same regulations the ICO is actively enforcing against bigger companies. The likelihood of being targeted today is low. The maximum consequence if you are targeted is much higher than it was last year.

The June deadline nobody is talking about#

There is another requirement coming into force on the 19th of June 2026, and it applies to every organisation that processes personal data. If you have a contact form, an email list, or customer records, that includes you.

From that date, you must have a formal data protection complaints procedure in place. That means:

• A way for people to submit a complaint about how you handle their data, including an electronic form or email address
• A process for acknowledging complaints within 30 days
• A process for investigating and responding without undue delay
• An update to your privacy notice explaining how someone can raise a complaint

If you are a small business, this does not have to be complicated. It can be a section on your existing contact page, a dedicated email address, and a short process document you keep on file. But it needs to exist. And it needs to be in place before the 19th of June.

What to actually do#

If you have a website and you have not thought about cookies since you set it up, here is what to do this week.

Check what cookies your site actually sets. Open your site in Chrome, press F12, click the Application tab, and look under Cookies. You will see a list of every cookie your site is setting. Most small business sites have analytics cookies and maybe a session cookie. If that is all you have, the new exemptions probably cover you.

Simplify your cookie banner. If you have one of those full-screen popups with 47 toggle switches, you can probably replace it with a short notice that says your site uses cookies for analytics and to improve the experience, with a link to your privacy policy and an opt-out option. If your site also runs advertising cookies, you still need the full consent mechanism for those, but you can separate them: load analytics by default and only require consent for tracking and advertising.

Update your privacy policy. Make sure it lists the cookies your site uses, what they do, and how visitors can opt out. If your privacy policy is a copy-pasted template from 2019, now is a good time to rewrite it in plain English.

Set up a complaints process before June 19. Add a section to your privacy policy that explains how someone can raise a complaint about their data. Create a dedicated email address or form. Write a short internal note documenting how you will handle complaints: acknowledge within 30 days, investigate, respond. Keep it on file.

Stop ignoring your privacy notice. If you do not have a privacy policy on your website at all, that is the first thing to fix. It has been a legal requirement since 2018. It does not need to be written by a lawyer. It does need to exist, be findable, and say something truthful about what data you collect and what you do with it.

The bigger picture#

We wrote recently about website accessibility being a legal requirement that most small businesses have never heard of. Cookie compliance is in the same category: a legal obligation that has been quietly ignored because enforcement felt distant and the rules felt unclear.

The rules just got clearer. The fines just got bigger. And there is a specific deadline less than eight weeks away.

The good news is that for most small businesses, the actual work here is small. An hour to check your cookies, update your privacy policy, and add a complaints process. That is it. You do not need a lawyer or a consultant. You need to spend an hour doing the boring thing, and then you are sorted.

The businesses that will have problems are the ones that keep pretending this does not apply to them.