On 29 April 2026, the ICO published its finalised guidance on storage and access technologies under the Data (Use and Access) Act. The maximum fine for a cookie consent breach jumped from £500,000 to £17.5 million. For a business turning over £400,000, the 4% calculation alone comes to £16,000. That guidance now sets the standard for UK small business cookie consent: what the banner must look like, what scripts must be blocked before a visitor agrees, and what counts as a valid rejection.
The cookie banner on your website has probably been there since you launched. You ticked a checkbox in Squarespace settings, or installed a free plugin when someone mentioned GDPR. A banner appeared. The words said something about cookies. There was a button that said "Accept". You moved on.
The banner that came with your template almost certainly does not meet that standard.
This post covers what changed, what the new rules require in practice, and why many template-platform cookie tools fall short of the new bar. It does not advise on whether your specific site is compliant. That question belongs with a solicitor, a data protection officer, or an ICO-accredited advisor. The implementation question, what the cookie setup on your website actually needs to look like, is a different matter. That is what the bureau builds.
What changed on 29 April 2026
The ICO's finalised guidance resolved rules that had been in consultation since late 2024. Two things matter most for a small business website owner.
First, the fine cap went up 35-fold. Before 5 February 2026, the maximum PECR fine was £500,000. From that date, under the Data (Use and Access) Act, PECR penalties were aligned with UK GDPR: up to £17.5 million, or 4% of global annual turnover, whichever is higher.
For a small business turning over £400,000, 4% is £16,000. For a 10-person practice on £800,000, it is £32,000. These are not the maximum. They are the 4% calculation on what the ICO could pursue if it investigated a complaint about your site.
Second, the ICO codified what equal prominence means. A banner that shows a large green "Accept All" button and a small grey "Manage Preferences" link tucked underneath is not compliant. The rule is simple: the option to reject non-essential cookies must be as easy to find and use as the option to accept them. One click to accept, one click to reject. Same visual weight. The April 2026 guidance makes this explicit and enforceable.
What UK small business cookie consent rules now require
The ICO's position on the basics has not changed: you cannot set non-essential cookies before a visitor gives consent. What the April 2026 guidance makes explicit is how that consent must be offered.
A compliant banner presents "Accept All" and "Reject All" at equal visual prominence. Not a prominent button and a footnote link. Two clearly labelled, equally accessible options, visible from the first interaction.
The guidance documents five exemption categories in total. Two are long-standing PECR rules that predate the DUAA: technologies used to transmit a communication, and technologies that provide a service the user has explicitly requested. The DUAA itself added three new ones: collecting statistics for service improvement under strict conditions, adapting the site's appearance to a user's preference, and providing emergency assistance. The analytics exemption is narrow. If your Google Analytics data feeds into any advertising targeting at all, it does not qualify for the exemption. Standard GA4 setup for most small business sites: not exempt.
The ICO has confirmed it applies to all UK-facing websites, with no threshold for business size. A sole trader getting 200 visitors a month is inside the rules.
Why template platforms often fall short
Wix and Squarespace both offer built-in cookie tools. The problem is not the banner. It is what the platform can and cannot control underneath it.
Squarespace's native cookie tool does not block scripts from third-party integrations. If you have a Calendly booking widget on your contact page, an Instagram feed on your homepage, or a Mailchimp pop-up that fires on exit, those integrations are setting cookies regardless of what the visitor clicked on your banner. The banner is window dressing if the scripts run anyway. Squarespace's architecture does not give you the access to stop them at the code level.
Wix has improved its native compliance tool, now integrated with Usercentrics. But many sites built two or three years ago are still running the older default banner, which had the same third-party script limitations. If you set up your Wix site in 2022 and never revisited the cookie settings, you are almost certainly running the legacy setup.
The root problem is structural. Template platforms give you control over the banner's wording and visibility. They do not give you full control over every script that fires when a visitor loads the page. A custom-built site, where the code stack is directly controlled, can actually block the scripts. The banner is then doing what it claims to do.
The numbers behind the new UK small business cookie consent risk
Before 5 February 2026: maximum PECR fine of £500,000. After 5 February 2026: up to £17.5 million, or 4% of annual global turnover. That is a 35-fold increase in the penalty headroom.
The ICO's enforcement priorities are not focused on sole traders running brochure sites. But the ICO investigates individual complaints, and enforcement typically results in a mandatory reprimand with remediation on a tight deadline. That cost arrives whether or not the fine does.
The honest split: solicitor's question versus website question
The bureau does not advise on whether you need to comply with a specific rule, whether a particular cookie falls into the analytics exemption, or how the guidance applies to your business specifically. That is legal and compliance advice. It belongs with a solicitor, a DPO, or an ICO-accredited advisor.
The bureau builds what the compliance decision leads to: the banner, the script-blocking layer, the consent management setup, the cookie policy page, and the implementation that stops non-essential scripts from firing before consent is given. That is website work, not legal work.
These two questions get conflated often. "Am I compliant?" is for the advisor. "Does my website do what compliance requires?" is for whoever built the site. They are different questions with different answers and different people responsible for them.
What properly implemented UK small business cookie consent looks like
Every custom website the bureau builds includes a properly implemented cookie consent setup from the start. Not a template checkbox enabled and left. A consent management layer that blocks non-essential scripts before consent is given, presents Accept All and Reject All at equal visual prominence, and records consent for audit purposes. Installing Cookiebot or CookieYes on a Squarespace or Wix site addresses the banner display; it does not solve the script-blocking problem, because those tools still cannot reach past the platform's own architecture to intercept integrations the platform loads itself. A custom build has no platform layer in the way: every third-party script, Calendly, GA4 and Instagram included, can be gated at the code level.
Because the build is custom and the bureau controls the code directly, updating the implementation when the guidance changes does not require waiting for Squarespace to release a platform update or Wix to push a new feature. The bureau makes the change. The site reflects the current rules.
The plan is a free five-page custom build, £50 a month for 24 months. UK hosting on the bureau's own infrastructure, domain registered in your name from day one, monthly backups, small content edits included, free static export on exit. The cookie consent implementation is part of the build, not a separate invoice.
How to tell whether your site meets the new ICO standard
Two questions worth asking today. First: can a visitor reject all non-essential cookies in a single click, from the banner itself, with an option that looks the same as "Accept"? If the answer is "I think so" rather than "yes, definitely", the ICO's standard is not being met.
Second: do your embedded scripts (Calendly, GA4, Instagram, live chat) actually block until consent is given, or do they fire the moment the page loads?
If sorting this is sitting on a list that never gets shorter, book a 15-minute discovery call with the bureau. Free, no obligation. If you can sort it on your current platform, the bureau will say so.