UK GDPR: An Overview and Compliance Support Guide

The UK GDPR governs how websites collect and use personal data of UK visitors. Initially it was very similar to the EU GDPR, but since Brexit is diverging quickly with successive legislation. This guide covers consent requirements under the PECR, key changes from the Data (Use and Access) Act 2025, data subject rights, fines, and practical steps to help website owners maintain compliance.

If your website has visitors from the United Kingdom, the UK General Data Protection Regulation (UK GDPR) applies to you, regardless of where your business is based. For website owners, this regulation has direct and practical implications: how you deploy cookies, how you collect consent, and how you document and honor visitor preferences.

This article covers what the UK GDPR requires, how it interacts with related UK laws — including the key changes introduced by the Data (Use and Access) Act 2025 — so website owners have necessary information to support ongoing compliance operations.

What Is the UK GDPR?

The UK General Data Protection Regulation (UK GDPR) is the UK's retained version of the EU GDPR, brought into domestic law following Brexit in January 2021. It governs how organizations collect, store, and use personal data belonging to people in the United Kingdom.

The UK GDPR is closely aligned with its EU counterpart and shares the same core principles, definitions, and rights framework. But it is now administered independently, enforced by the Information Commissioner's Office (ICO), and supplemented by an increasing body of UK-specific legislation.

For website owners specifically, the UK GDPR works in tandem with the Privacy and Electronic Communications Regulations (PECR), which governs how cookies and similar tracking technologies may be placed on visitors' devices. Together, these two frameworks form the foundation of UK cookie consent law.

Who Does the UK GDPR Apply To?

The UK GDPR is extraterritorial. It applies to any organization that processes personal data of people in the UK,  whether that organization is based in the UK or not.

This includes both UK-based businesses processing personal data of UK residents in the course of their operations, and non-UK-based businesses that offer goods or services to, or monitor the behavior of, people in the UK.

In practice: if your website is accessible in the UK and uses cookies, analytics tools, advertising trackers, or any other technology that collects data about visitors, the UK GDPR applies to you.

The UK GDPR and Related Laws

The UK's data protection framework is made up of three interlocking pieces of legislation. Each has a distinct scope, but they operate together and are all enforced by the Information Commissioner's Office (ICO).

UK GDPR

The primary regulation governing data protection, which came into force January 1, 2021. Sets out core principles, lawful bases for processing, data subject rights, and organizational obligations. It applies broadly to any processing of personal data and forms the main body of data protection law in the UK. The ICO enforces all three.

Data Protection Act 2018

The domestic Act of Parliament that complements and supplements the UK GDPR. It tailors the GDPR's principles to the UK context, covers law enforcement and intelligence service data processing, sets UK-specific exemptions (such as for journalism, research, and national security), and establishes the ICO's powers and enforcement mechanisms.

Privacy and Electronic Communications Regulations (PECR)

The UK's national implementation of the EU ePrivacy Directive, which has continued to apply after Brexit. The PECR governs the placing of cookies and similar technologies on individuals' devices, as well as direct marketing by electronic means. 

Crucially for website owners, it requires prior consent before setting non-essential cookies, and that consent must meet the same high standard as under the UK GDPR.

Cookie Consent Requirements Under the UK GDPR and PECR

The most immediate compliance requirement for most website owners is cookie consent. Under the PECR, cookies and tracking technologies that are not strictly necessary for a website to function require prior, informed consent from the visitor before being placed on their device. This applies to analytics cookies, advertising cookies, personalization tools, and most third-party trackers.

Consent must meet the UK GDPR standard: it must be freely given, specific, informed, and unambiguous, and demonstrated through a clear affirmative action. The following do not count as valid consent:

• Pre-ticked boxes or pre-selected consent options
• Closing a cookie banner or scrolling past it
• Continued browsing after a banner appears
• Bundled or all-or-nothing consent (unless the specific service cannot function without it)

Equally, accept and reject options must be presented with equal prominence. The ICO has been clear that a prominent "Accept all" button paired with a buried or multi-step "Reject" option does not meet the standard for freely given consent.

Strictly Necessary Cookies

Cookies that are genuinely necessary for a website to function, for example, session cookies, load-balancing cookies, or cookies that remember items in a shopping cart, do not require consent. However, the "strictly necessary" exemption is narrow and should not be applied to analytics or marketing cookies.

Cookie Compliance in Practice

Meeting these requirements in practice means having the right technical infrastructure in place before visitors arrive on your site. A consent management platform handles the most operationally demanding parts — blocking, recording, and surfacing consent options — but the broader checklist is the responsibility of the website owner.

• Implement a consent management platform (CMP) that presents clear, balanced options before any non-essential cookies are set
• Block non-essential cookies and trackers until a visitor has opted in
• Make it easy for visitors to withdraw or change their consent at any time
• Keep secure, auditable records of consent, including the date, method, and the specific notice shown at the time
• Review cookie practices regularly, particularly when adding new tools or third-party services to the site

Key Changes: The Data (Use and Access) Act 2025

On 5 February 2026, core provisions of the Data (Use and Access) Act 2025 (DUAA) entered into force, representing the most significant reform of UK data protection law since Brexit. The DUAA does not replace the UK GDPR, but rather amends and modernizes it.

The most relevant changes for website owners are as follows.

New Cookie Exemptions Under the PECR

The DUAA introduces new limited exemptions from the consent requirement for certain types of cookies and similar technologies. The ICO's guidance on these exemptions is under active review following the Act's commencement and will be updated. Website owners should monitor ICO guidance closely.

Existing exemptions continue to apply. These include:

• Cookies that are strictly necessary
• Transmission of a communication
• Statistical purposes (under specific conditions)
• Appearance/preference settings
• Emergency assistance

Expanded ICO Enforcement Powers

The DUAA extends the ICO's enforcement remit and applies UK GDPR-level fines to certain PECR breaches. This represents a significant increase in the potential consequences for cookie consent non-compliance.

New Lawful Basis: Recognised Legitimate Interests 

As of 5 February 2026, the DUAA introduced recognized legitimate interest (RLI), which is a seventh lawful basis under the UK GDPR. This applies only to processing that falls within one of five specific public interest conditions, including safeguarding, national security, and crime prevention. 

It removes the requirement for a Legitimate Interests Assessment (LIA) for those narrow circumstances. RLI is not a general-purpose basis and is unlikely to be relevant for most website owners' standard data processing activities.

Automated Decision-Making

The DUAA introduces Art. 22A UK GDPR as the governing provision for solely automated decisions that produce legal or similarly significant effects on individuals. 

Organizations using AI systems, profiling tools, or automated eligibility assessments should review their processes against the ICO's updated draft guidance on automated decision-making (ADM), published March 31, 2026.

Data Subject Rights Under the UK GDPR

The UK GDPR gives individuals significant rights over their personal data. Organizations — including website owners — must be able to respond to requests to exercise these rights within one month.

The rights include:

• Right to be informed (Art. 13 UK GDPR and Art. 14 UK GDPR): Visitors must be told clearly how their data is collected and used, typically through a privacy notice or policy.
• Right of access (Art. 15 UK GDPR): Individuals can request a copy of their personal data and information about how it is processed.
• Right to rectification (Art. 16 UK GDPR): Individuals can request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17 UK GDPR): Also known as the "right to be forgotten", individuals can request deletion of their data in certain circumstances.
• Right to restrict processing (Art. 18 UK GDPR): Individuals can request that processing be paused while accuracy or use is contested.
• Right to data portability (Art. 20 UK GDPR): Individuals can request their data in a machine-readable format for transfer to another service.
• Right to object (Art. 21 UK GDPR): Individuals can object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making (Art. 22A UK GDPR, as amended by DUAA): Protection against solely automated decisions that have significant legal or other effects.

Fines and Enforcement

The ICO is the independent supervisory authority responsible for enforcing the UK GDPR, DPA 2018, and PECR. It has broad investigative powers, can issue enforcement notices, and imposes a two-tier system of administrative fines under Art. 83 UK GDPR:

• Tier 1: Up to GBP 8.7 million or 2 percent of global annual turnover (whichever is higher). Applies to failures in record keeping, data security, breach notification, and inadequate processor contracts.
• Tier 2: Up to GBP 17.5 million or 4 percent of global annual turnover (whichever is higher). Applies to more serious violations including unlawful processing, failure to respect data subject rights, and unauthorized international data transfers.

The DUAA additionally enables UK GDPR-level fines to be applied to certain PECR breaches, including cookie consent violations.

The ICO's stated approach is to prioritize education and improvement over maximum penalties, particularly for organizations demonstrating willingness to work toward compliance. That said, the ICO treats repeat violations and deliberate non-compliance more severely.

The UK GDPR vs. the EU GDPR

The UK GDPR and EU GDPR remain closely aligned in terms of core principles, rights, and consent standards. The practical differences relevant to website owners are as follows.

For website owners operating across both UK and EU audiences, both regimes apply simultaneously. A compliant consent management platform will handle the technical requirements of both.

UK GDPR and the EU Adequacy Decision

Following Brexit, a key question for many websites was whether personal data could continue to flow freely between the EU and UK. The EU adopted an adequacy decision for the UK in June 2021, renewed in December 2025, allowing personal data to flow freely between the EU and UK. The decision runs until 2031 and remains subject to ongoing monitoring.

The decision confirms that UK data protection law provides an essentially equivalent level of protection to the EU GDPR. As a result, personal data can be transferred between the two blocs without additional safeguards.

Website owners and businesses operating across both jurisdictions should monitor developments to keep their data transfer arrangements remain documented and up to date.

Practical Steps to Support UK GDPR Compliance for Website Owners

UK GDPR compliance is an ongoing process rather than a one-time task. The following steps cover the core requirements for website owners.

Audit Your Cookies and Trackers

Conduct a thorough scan of your website to identify every cookie and tracker in use, including third-party tools deployed via tag managers or embedded scripts. Classify each as strictly necessary or non-essential. 

The Cookiebot™ automated scanner detects and categorizes cookies and trackers across your domain, including those set by third parties.

Implement a Compliant Consent Management Platform

A consent management platform enables you to present visitors with clear, balanced consent options before any non-essential cookies are placed. 

Cookiebot CMP is purpose-built to support UK GDPR and PECR compliance, enabling granular consent by category, automatic blocking of non-essential cookies prior to consent, and detailed consent logging.

Publish and Maintain a Privacy Notice

Your privacy notice must clearly explain what personal data you collect, for what purposes, on what legal basis, how long you retain it, and how visitors can exercise their rights. It must be kept up to date and include the date of last revision.

Establish Lawful Bases for All Processing

Every data processing activity on your website requires a documented lawful basis. For marketing, analytics, and tracking, consent is typically required. Avoid relying on legitimate interests for processing where consent is the clearly appropriate basis.

Be Ready to Respond to Data Subject Requests

Visitors can exercise their rights at any time. Be prepared to respond within one month to requests for access, correction, erasure, or portability of their data.

Notify the ICO of Serious Data Breaches

Serious personal data breaches — those likely to result in risk to individuals — must be reported to the ICO within 72 hours of discovery.

Cookiebot CMP for UK GDPR Compliance

Cookiebot CMP by Usercentrics supports website owners in meeting UK GDPR and PECR consent requirements across websites of all sizes. The platform automatically scans for and categorizes cookies and trackers, presents visitors with a customizable, compliant consent banner, blocks non-essential cookies prior to consent, and maintains detailed consent records.