What Data Protection Day Means for Your Website

Data Protection Day takes place on 28 January each year. The date marks the anniversary of Convention 108, an international treaty signed in 1981 that established the first legal framework for protecting personal data.

When data protection comes up in conversation, it usually centres on passwords, encryption, firewalls and secure servers. These are all important, but the data you collect through your website often receives far less attention. This Data Protection Day, it is worth taking the time to consider what personal information your website gathers, whether you have a valid legal basis to collect it and how clearly you are explaining its use to your visitors.

What Personal Data Does Your Website Collect?

Your website likely collects personal data in several ways:

• Contact forms gather names, email addresses and phone numbers
• Newsletter sign-ups add people to your marketing database
• Live chat tools store conversations and contact details
• Analytics platforms record browsing behaviour, device information and approximate location
• Cookie banners log consent preferences

UK GDPR and the Data Protection Act 2018 require you to have a lawful basis for each type of data you collect. For marketing purposes, this is usually either consent or legitimate interest. Consent means the person has actively agreed to their data being used in a particular way. Legitimate interest means you have a valid business reason to use the data, provided this does not override the individual’s rights. Whichever basis you rely on, you need to explain this clearly in your privacy policy, along with details of how the data will be used.

Cookie Consent and What the ICO Expects

The ICO spent much of 2025 reviewing cookie practices across the UK’s top 1,000 websites. By the end of the year, the regulator reported that over 95% met its standards, though many had only reached compliance after receiving warning letters or preliminary enforcement notices.

Cookies that are not strictly necessary for your website to function, including analytics cookies, advertising cookies and tracking pixels, cannot be placed until your visitor has given consent. Google Analytics, Facebook Pixel and LinkedIn Insight Tag all fall into this category and should only load after the visitor has accepted them through your cookie banner. A banner that appears while these cookies are already running in the background does not meet the requirements.

The Data (Use and Access) Act 2025 created some exemptions for low-risk cookies used for basic audience measurement, but marketing and advertising cookies still require consent before they are set. Fines for breaching PECR (the Privacy and Electronic Communications Regulations) now match those under GDPR: up to £17.5 million or 4% of global annual turnover.

Forms, Email Marketing and Consent

Any form that collects personal information, whether a contact form, a content download or an event registration, is subject to data protection rules.

Your privacy policy should explain what happens to data submitted through forms: how long you keep it, who has access to it and whether you share it with any third parties. You should also limit collection to the information you actually need. If a phone number is not required to respond to an enquiry, there is no reason to make it a mandatory field.

Email marketing is governed by PECR as well as GDPR. You can use legitimate interest as a basis for some B2B marketing, but every email must include a working unsubscribe option and you must process opt-out requests promptly.

The soft opt-in allows you to send marketing emails to existing customers without obtaining fresh consent, but only where all of the following apply:

• You collected the person’s details during a sale or sales negotiation
• Your emails promote similar products or services to those originally purchased or discussed
• You gave the person a clear opportunity to opt out when you first collected their details
• Every email includes a way to unsubscribe

Third-Party Tools and Data Sharing

Your website probably uses third-party services such as CRM systems, email platforms, analytics tools and advertising networks. Each of these processes personal data in some capacity.

UK GDPR requires you to have a data processing agreement with any third party that handles personal data on your behalf. These agreements set out what data is being processed, for what purpose and what security measures are in place. Even with an agreement in place, you remain responsible for how the data is handled.

Many of these services are based in the United States. The EU-UK adequacy decision, renewed in December 2025, allows personal data to be transferred to the US without additional safeguards, but you should still check that your providers are operating under recognised frameworks.

Where third-party tools share data with advertising platforms, for example when a Facebook Pixel sends visitor data to Meta, you need to disclose this in your privacy policy. In most cases, you also need to obtain consent through your cookie banner before any data is shared.

Data Protection Checklist

• Test your cookie consent tool to confirm that analytics and marketing cookies are blocked until consent is given
• Review your privacy policy to check it reflects how data is currently collected and used
• Look at each form on the website and remove any fields that collect information you do not need
• Send yourself a test unsubscribe request to check the process works and is actioned quickly
• List the third-party tools connected to your website and confirm a data processing agreement is in place for each one

How We Can Help

Priority Pixels is registered with the Information Commissioner’s Office (registration reference ZB845765). As an agency that handles client data and builds websites that collect personal information, we take our own data protection obligations seriously and apply the same standards to the work we do for clients.

During the planning phase, we identify what data your website will collect and what third-party integrations are required. When we build the site, we implement cookie consent solutions that block non-essential cookies until consent is given, configure forms to capture the necessary consent records and set up analytics and tracking tools so they only fire when permitted. We also work with you to review your privacy policy content to make sure it accurately describes the data collection and processing that takes place on the site.

If you have questions about whether your website meets current data protection requirements or you are planning a new site and want to get this right from the beginning, get in touch.