Cover the legal requirements
The points I mention below are pointers to get you started, and are not substitutes for legal advice. You will need to consult your lawyer about legal aspects of your website or application.
On this page:
General Data Protection Regulation (GDPR)
The EU and UK have similar laws to protect the privacy of website user. The UK GDPR regulations were updated by the Data (Use and Access) Act 2025, but the principles are still the same.
The EU provide a checklist for you to make sure you are complying. Basically, only gather personal information (like email addresses) when you have a legal basis for it and when people give informed consent. Publish a privacy statement saying what information you gather and why, how long you will keep the information, for what purposes, and who has access to it.
You also need to tell people how they can find out what personal information you have about them and how they can request its deletion.
Things to do for GDPR
- Consult your organisation’s lawyer, if there is one.
- Go through the EU checklist.
- Look at the GDPR overview
- Make sure you have a privacy statement on your site.
Cookies
The EU’s ePrivacy Directive (EPD) works alongside GDPR, since they both concern privacy. The ePrivacy Directive was passed in 2002 but updated in 2009 to include the cookie regulations.
These regulations gave rise to the rather infamous cookie banner, and they state you must:
- Get people’s consent before you use any cookies, except “strictly necessary” cookies.
- Tell people what data each cookie tracks
- Store proof of consent
- Allow people to access your website or app even if they did not consent to cookies
- Make it easy for people to withdraw their consent at a later date.
“Strictly necessary” cookies are those essential for the site to function. For example, when you log in to a site, a cookie is set in your browser so you can be identified as logged in. If the cookie was not there, you would be logged out every time you visited a new page. Other examples include cookies for shopping carts or for security (to verify the connection between your browser and the website has not been intercepted).
Common cookies that are not strictly necessary include Google Analytics cookies to gather site statistics and user behaviour, and functional cookies to remember site preferences.
Changes ahead
The EU plans to revise its cookie regulations, and replace the ePrivacy Directive (EPD) with the ePrivacy Regulation (EPR). The Regulation is still being discussed, however.
In the UK, the Data (Use and Access) Act 2025 allows you to use more cookies without consent, such as those to collect site certain statistics. For example, you can collect aggregated statistics about the usage of the site (like page views) but not about the individual users of the site. See the ICO website for an overview of all the changes, and the exceptions page for details about cookie exceptions.
In practical terms, we still need to keep cookie banners because even if you are not based in the EU, if you collect EU citizens’ data then you must comply with EU regulations.
Avoiding cookie banners
You can spare your users the inconvenience of cookie banners if you just use “strictly necessary” cookies.
This doesn’t mean you can’t collect site statistics. Plausible, for example, claims to be a GDPR-compliant stats package. It does not use cookies, and so does not need a cookie banner. Matomo is more fully-featured, and can be configured to not use cookies. They are both worth considering as alternatives to Google Analytics.
Things to do for cookies
- Consult your organisation’s lawyer, if there is one.
- Make sure you have a cookie banner if you use non-essential cookies.
- Give people a clear option to opt out of the cookies.
- Make sure your privacy statement says what cookies you use and why (even “strictly necessary” ones).
- Give people an option to later opt out of cookies.
- If you only use non-essential cookies for website stats, consider switching to a stats package that does not use cookies.
Accessibility
The EU, UK and USA all have accessibility acts governing websites and applications. These acts ensure that websites are easy to use for people with a range of physical and cognitive abilities, like people who are blind and partially sighted, or who have dyslexia or ADHD.
The international standards for accessibility are created by the World Wide Web Consortium (W3C), and are called the Web Content Accessibility Guidelines (see the simple overview). There are three levels of conformance to these guidelines:
- A (conform to some of the guidelines),
- AA (conform to most of the guidelines) and
- AAA (conform to almost all guidelines).
In the EU, UK and USA your website needs to have AA conformance. These guidelines can seem overwhelming, especially to a non-technical person, but remember that many may not apply to your site because they may concern a technology you don’t use.
Things to do for accessibility
- Go through the simple guide to checking accessibility or the similar UK government checklist for AA compliance.
- Use a browser addon tool like WAVE or ARC to check your site.
- Test your site with a variety of people, including people with a variety of abilities (see Test little and often).
- Put an accessibility page on your website explaining what you have done to make your site accessible, what issues may be left, what you are doing about those and who to contact about accessibility issues. You will need to show that accessibility assessment is an ongoing process, and so put a date for each page revision.
Copyright
Just a reminder that just because content is on the web, it doesn’t mean you can use it. If you want stock photos and videos, don’t forget you can get them for free on sites like Pexels, Unsplash and Pixabay.
As for text, be careful of AI-generated text that has taken copyrighted content from other sites. Ideally, you would have your own text and images, that reflect the uniqueness of your organisation and assure the user of its authenticity.
Copyrighting your website
For EU countries and the UK, copyright of a website and its contents is automatic. You do not need to register copyright or put a copyright notice on the site. However, some recommend putting a copyright notice in the footer to make the copyright explicit.
This can be something simple like ”© [your name or your organisation’s name], [year]” e.g. © Joe Bloggs, 2025. If you wanted to go further, you could add “Unauthorised use of the material on this website is strictly prohibited.”
Things to do for copyright
- Make sure you have permission to use all your images and long quotes. You may need to add image credits as a condition for using them.
- Be careful your AI content has not been plagiarised.
- Consider adding a copyright notice to your footer.