What Every Small Business Needs to Know About Data, Privacy and Your Website in 2026
Data protection rules, cookie consent, SSL certificates, and what happens when you paste customer information into ChatGPT. A plain English guide for small business owners who just want to know where they stand.
Data privacy is one of those subjects that sounds complicated and technical until you break it down. Most of it is common sense dressed up in legal language. This post covers the main things your website and your business practices need to have in place in 2026, without getting lost in the detail.
A note before we start: this is general guidance, not legal advice. If you have specific concerns about your data practices, speaking to a solicitor or the ICO directly is always the right call.
UK GDPR – does it still apply after Brexit?
Yes. This comes up a lot and the answer is straightforward.
When the UK left the EU, the GDPR was retained in UK domestic law and became the UK GDPR, which came into force on 1 January 2021. It applies to any business that collects or processes personal data from people in the UK, regardless of where the business itself is based.
The UK and EU versions started as identical texts. The Data (Use and Access) Act 2025, which came into force in February 2026, introduced the first meaningful differences between them. Some rules around cookie consent and automated decision-making have been relaxed slightly under the UK version. The core obligations around data handling, breach notification, and individual rights remain firmly in place.
If you have UK customers, UK GDPR applies to you. If you also have EU customers, EU GDPR applies to that data. For most small businesses operating only in the UK, UK GDPR is the one to focus on.
The ICO is the UK’s data protection regulator and their website at ico.org.uk has practical guidance written specifically for small businesses.
Cookie consent – what has changed in 2026
Cookies are small files that websites store on a visitor’s device to remember things – whether they are logged in, what they put in a basket, or how they found the site. Some cookies are essential for the site to work. Others track behaviour for advertising or analytics purposes.
The rule of thumb used to be simple: anything beyond essential cookies required the visitor’s consent before being set. The Data (Use and Access) Act 2025 has introduced some new exemptions under the UK framework:
- Analytics cookies – purely used to understand how people use your site can now operate on a soft opt-out basis rather than requiring active consent first. Visitors must still be given a clear, simple way to opt out.
- Functional cookies – used to remember user preferences or enhance the experience are also covered by this exemption.
- Security and fraud detection cookies – these have always been considered essential and do not require consent.
What has not changed: tracking cookies used for advertising and third-party targeting still require explicit consent. The cookie banner is not going away entirely – it is just slightly less demanding for certain low-risk uses.
In practical terms, if your website uses Google Analytics and nothing else cookie-wise, the new rules mean you have a bit more flexibility. If you run advertising through Meta or Google, the consent requirements still apply in full.
A significant number of websites still have no cookie notice at all. That is not a grey area – it is a compliance failure, however small the business. Getting a basic consent mechanism in place is a straightforward fix and most WordPress cookie plugins handle it automatically.
SSL certificates – the padlock in the browser bar
If you look at the address bar of any website, you will see either a padlock icon or a warning that the connection is not secure. The padlock means the site has an SSL certificate installed, it encrypts the data passing between the visitor’s browser and the website so it cannot be intercepted.
Without SSL, any information submitted through your website – a contact form, a booking request, login details, travels in plain text. Anyone able to intercept that traffic can read it.
SSL is also a factor in Google’s ranking algorithm. Sites without it are flagged as not secure in Chrome, which puts visitors off immediately. It is one of the most basic technical requirements for any website in 2026 and there is no good reason for a live site not to have it.
SSL is included as standard on every site we build at Pixelroot.
Putting customer data into AI tools
This one catches businesses out and it is worth being clear about.
Imagine a business owner copies a list of customer names, email addresses, and invoice details into ChatGPT to help write a follow-up email campaign. It feels harmless – they are just using it as a writing tool. From a data protection standpoint, it is a significant problem.
When you enter personal data into a public AI tool like ChatGPT, that data is processed by a third party – OpenAI – on servers that may be located outside the UK. Under UK GDPR, sending personal data to a third party requires either a lawful basis for doing so or a data processing agreement in place with that third party. Most businesses entering customer data into AI chat tools have neither.
OpenAI’s standard terms allow them to use inputs to improve their models unless you have specifically opted out or are on a paid plan with data controls in place. Your customers did not consent to their information being used for AI training when they gave you their email address.
The practical guidance here is straightforward. Do not paste real customer names, email addresses, phone numbers, or any other identifying information into public AI tools. Use anonymised or fictional examples instead. If you want to use AI tools for customer-facing tasks at scale, look at enterprise versions with proper data processing agreements, Microsoft Copilot within a business Microsoft 365 account, for example, has data handling terms designed for business use.
This is a growing area and the ICO has published guidance on AI and data protection at ico.org.uk.
Sharing data with contractors
Many small businesses share employee or customer data with contractors without giving it much thought, a spreadsheet of staff details sent to a payroll provider, a customer list shared with a freelance marketer, booking data passed to an external admin. Under UK GDPR, this kind of sharing needs to be handled correctly.
When you share personal data with a contractor who processes it on your behalf, that contractor is a data processor and you are the data controller. You are responsible for making sure the data is handled properly, even though someone else is doing the processing.
In practice this means having a data processing agreement in place with any contractor who handles personal data for you. It does not need to be a lengthy legal document – the ICO has template agreements available, but something needs to exist that sets out what data is being shared, what it will be used for, and how it will be protected.
Google Workspace has GDPR-compliant data handling terms built into its business contracts, so sharing within a properly set-up Google Workspace environment is generally covered. The risk tends to come from informal sharing, emailing a spreadsheet to a freelancer with no agreement in place, or using a personal Google account to share files rather than a business one with proper controls.
Data sharing has become a normal part of running a business and most of it is perfectly fine when done with the right paperwork in place. The ICO’s website has straightforward guidance on data processing agreements if you want to check what you need.
A quick checklist
- SSL certificate installed – the padlock should be showing in the browser bar on your website.
- Cookie consent in place – a basic notice giving visitors information about cookies and the ability to opt out of non-essential ones.
- Privacy policy published – a clear page on your website explaining what data you collect, why, and how it is stored.
- No real customer data in public AI tools – use anonymised examples or fictional data when using AI writing tools.
- Data processing agreements with contractors – anyone handling personal data on your behalf should have something in writing.
None of this is especially complicated once it is in place. The ICO takes a proportionate approach with small businesses and its guidance is written to be accessible. If you are unsure where your website stands on any of the above, it is worth getting it checked sooner rather than later.
Not sure where your website stands?
We are happy to take a look and give you a straightforward view. No jargon, no lengthy process.
Get in TouchDisclaimer: This post is intended as general guidance only and does not constitute legal advice. Data protection law is complex and your specific obligations will depend on the nature of your business and the data you process. For advice tailored to your situation, consult a qualified solicitor or contact the ICO directly at ico.org.uk.