Web & Roll - Logo

New ICO cookie rules from 29 April 2026: what your website must change this month

The ICO has finalised its cookie guidance and PECR fines have jumped to £17.5m. A practical six-step compliance check for UK small business websites before 19 June 2026.

Categories
General
Tom BarberTom Barber
Published
Reading time3 min

Compliance

The ICO finalised its new cookie and storage-tech guidance on 29 April 2026 under the Data (Use and Access) Act. Two changes really matter.

  1. PECR fines now top out at £17.5m or 4% of global turnover - up from £500k, in force since 5 February.
  2. From 19 June 2026, every organisation in scope also needs a written data-protection complaints procedure.

If your cookie banner hasn't had a once-over this year, it's almost certainly out of step with the new rules. Full ICO guidance is here.

What's actually new

Three things matter for most small business sites.

  1. The ICO has widened the list of exemptions for non-intrusive technologies. Some analytics, fraud prevention and basic A/B testing can now sit outside the consent requirement, in narrow and clearly-defined cases. That's useful, but the criteria are tighter than the headlines suggest.
  2. The consent rules have firmed up. Pre-ticked boxes, implied consent and the old continue-browsing pattern are explicitly out. If your banner does any of those, it needs replacing.
  3. The ICO expects you to show your working. Each cookie should map to a lawful basis, with a maintained register you can hand over if asked.

Why £17.5m matters - even at small business scale

The headline number is a ceiling, not the typical fine. The change that actually catches most small businesses out is procedural: from 19 June, you need a documented data-protection complaints procedure. That's a process change, not a website change, and a lot of small businesses don't yet know it applies to them. One complaint - or one competitor flagging a non-compliant banner - is enough to trigger a formal look.

A six-step check you can run this month

Work through these in order. The first three are technical, the rest are operational.

  • Audit every cookie and storage technology your site sets, including the ones loaded by Google Analytics, social pixels, chat widgets, embedded videos and A/B testing. Cookiebot or CookieYes will give you a free starting list.
  • Categorise each one - strictly necessary, functional, analytics or advertising - and check what's now exempt versus what still needs consent.
  • Replace any pre-ticked, implied-consent or continue-browsing banner with a clear, granular consent screen. Reject must be as easy as accept.
  • Update your privacy and cookie policies to reference the 29 April 2026 guidance, the DUAA and your new fine exposure.
  • Document an internal complaints procedure - named owner, response time, escalation path - ready for 19 June.
  • Diary a quarterly cookie audit and an annual policy review.

Common traps we're seeing

Three issues come up on nearly every audit we run.

  • Tag Manager firing analytics or advertising tags before consent is granted. It's an easy miss, and it often survives a banner refresh.
  • Cookie policies that still cite the 2019 ICO guidance or pre-DUAA wording. The 29 April document supersedes both.
  • Consent records that aren't stored, or are stored only on the user's own device. The ICO expects server-side, time-stamped logs you can produce on request.

What the new exemptions actually allow

There's genuine room to breathe for basic analytics and security, but the criteria are narrow. The ICO write-up is summarised here, and the legal analysis from Womble Bond Dickinson on the non-intrusive exemptions is here. Read both before assuming a particular tag falls inside an exemption.

Where we can help

We run fixed-fee cookie and PECR audits for SME websites, covering tag inventory, banner configuration, policy text and the new complaints procedure. We'll tell you exactly what to change before 19 June 2026. Contact us today to discuss your requirements.

Sources