The compliance gap nobody is talking about
Ask most UK business owners if they are GDPR compliant and they will say yes. They have a privacy policy. They have a cookie banner. Job done.
Ask a data protection lawyer the same question about those same businesses, and the answer is very different. The gap between what business owners think is compliant and what the ICO actually requires is enormous — and it is sitting on the front page of millions of UK websites right now.
"The most common GDPR violations we see in small business websites are not deliberate. They are the result of setting up Google Analytics in 2019 and never revisiting how it loads. But the ICO does not accept ignorance as a defence."
— The Guardian, Data Protection for Small Business, March 2026The three most common GDPR violations hiding on UK websites right now
1. Google Analytics firing before consent
If your website loads Google Analytics — even a tiny tracking pixel — before a visitor has clicked "Accept" on your cookie banner, you are in violation of UK GDPR. In our audit of 2,400+ UK websites, we found this on roughly one in three that had a cookie consent mechanism at all. The banner was present. The analytics were firing anyway.
Open your website in a private browser window. Accept no cookies. Press F12, go to Network tab, and look for requests to google-analytics.com or similar. If they fire before you accept cookies, you have a violation.
2. No cookie categorisation
A cookie banner that says "We use cookies" is not compliant. UK GDPR requires that users are told what categories of cookies are being set (strictly necessary, functional, analytics, marketing), why each category is being set, and given the ability to accept or reject each category independently.
3. Privacy policy gaps
A privacy policy copied from a template in 2020 that does not mention your actual data processors (Mailchimp, HubSpot, Stripe, Google Analytics, Facebook Pixel) is not compliant. The ICO requires specific, accurate disclosure of every third party you share data with.
Real consequences: SME fines that made the news
"GDPR enforcement against smaller organisations has increased significantly since 2024. The ICO has made clear that size is not a defence. The obligations exist regardless of whether you have ten customers or ten million."
— Financial Times, Regulatory Risk for UK SMEs, April 2026The fix is not as complicated as the regulation makes it sound
Most UK website GDPR issues are fixable within a week by any competent developer:
- Implement a proper consent management platform (Cookiebot, CookieYes, or equivalent) that blocks analytics until consent is given
- Update your privacy policy to list every data processor you actually use
- Ensure your cookie categories are correctly mapped and described
- Make sure your site is running over HTTPS with a valid SSL certificate
- Review any forms that collect personal data — are they over HTTPS? Do they explain how data is used?
Key takeaways
- Loading Google Analytics before cookie consent is a violation the ICO actively pursues
- A cookie banner is not sufficient — consent must be granular and genuinely opt-in
- Transmitting data over HTTP (not HTTPS) is itself a GDPR issue
- A single customer complaint to the ICO can trigger a full investigation
- Most violations are fixable within a week once identified