Site data collection may seem harmless. A contact form, newsletter signup, cookie banner, analytics tag, or a page populated with customer information may seem like something you’d handle in your day-to-day business.
In legal terms, each one can create duties around transparency, consent, security, retention, and accountability under privacy law.
Those obligations for businesses in the UK are set out in the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations, if cookies, email marketing, or similar tracking technologies are used.
Everyday Data Collection Can Create Legal Duties
A website does not need to sell any of your personal data to have privacy issues.
Names, email addresses, IP addresses, device IDs, location information, and browsing history can trigger the regulations concerning data protection if they identify an individual.
A compliance gap can start with something as routine as adding a form, analytics tool, or advertising pixel.
Before using forms, analytics tools, or advertising pixels, businesses should map what data is collected, where it is stored, how long it is kept, and whether users have been properly informed. Using clickwrap software can help ensure that users are informed and provide consent in a legally compliant way.
Under the UK GDPR, personal data must be processed lawfully, fairly, and transparently, so the privacy notice should explain the purpose, lawful basis, recipients, retention period, and user rights.
Cookies and Tracking Are a Common Weak Point
Cookies are one of the biggest issues in website compliance because only strictly necessary cookies are usually used without your consent. Other tracking tools require your consent, including:
- Analytics cookies that measure how people use a website
- Advertising cookies are used for targeting or retargeting.
- Profiling tools that build user behavior patterns.
- Third-party pixels that track activity across different sites.
The chart below shows that third-party cookies appear across many website categories, making cookie compliance a concern for a wide range of site operators.
(Source: Percentage of analyzed websites using third-party cookies across different categories | ACM Digital Library)
Strictly necessary cookies may be used without consent, but analytics, advertising, and profiling cookies usually require clear consent before use. Banners that favor “accept all” over “reject” can create compliance risk.
The legal issue is not limited to the banner. Businesses also need to understand what happens behind it, including:
- What data each tool collects.
- Whether that data is shared with third parties.
- Whether the data is combined with other user information.
- Whether any data is transferred outside the UK.
- Whether supplier contracts and privacy terms have been reviewed.
Third-party tools may collect, share, or transfer user data outside the UK, so businesses should first check supplier terms and transfer safeguards.
Privacy Policies Cannot Be Treated as Boilerplate
A copied privacy policy can look credible, but it may give users the wrong picture of how the website handles personal data.
A helpful policy should align with the business’s actual data practices. If your business uses analytics, customer relationship software, payment processors, embedded videos, chat tools, or marketing platforms, you should review those activities.
Retention is often missed. Keeping data “just in case” is hard to justify without a business or legal reason. The UK GDPR requires personal data to be kept no longer than necessary. Businesses should set retention periods and apply them.
Small Gaps Can Become Bigger Problems
Website data collection risks can arise through complaints, subject access requests, supplier issues, regulatory checks, or a loss of customer trust.
Businesses should audit the data their sites collect, review cookie settings, update privacy notices, check supplier terms, and delete data they no longer need.
Privacy compliance is required of any website that collects personal data. Every action must be accompanied by a legal reason, a user notice, and controls.
