Which Regulations Apply to Your Website? A Quick Guide
The safest assumption is that multiple regulations apply to your website. But to move from “we’re probably in scope” to “we know exactly what we’re responsible for,” you need to map your specific regulatory exposure. This guide walks you through the scope decision tree and shows you which regulations apply based on what your business actually does.
The Scope Table
Your regulatory exposure depends on your business’s characteristics. Find your situation in the table below:
| Your business has… | Regulation | Applies if… | Core obligation |
|---|---|---|---|
| A website | UK GDPR | You have a website that collects any personal data | Data protection: privacy policy, consent, data subject rights |
| PECR (Cookies) | You use cookies, tracking pixels, analytics, or similar | Cookie consent: obtain opt-in before non-essential cookies | |
| Equality Act (Accessibility) | You provide services to the public | Website accessibility: WCAG 2.2 Level AA standard | |
| EU customers | EAA (Accessibility) | You sell products/services to consumers in the EU | Website accessibility: WCAG 2.2 Level AA + EN 301 549 |
| EU GDPR | You process personal data of EU residents | Data protection: can require additional agreements with EU DPA | |
| EU AI Act | You use AI tools and have EU exposure | AI transparency, documentation, risk assessment | |
| Employees | Employment Rights Act | You have one or more employee | Day-one rights, harassment duty, tribunal rules (phased April 2026–Jan 2027) |
| UK GDPR | You store any employee data | Employee privacy notices, data retention, access controls | |
| AI tools in use | EU AI Act | You use AI and have EU customers | AI risk classification, documentation, disclosure |
| UK GDPR Article 22 | You use AI to make automated decisions about individuals | Automated decision transparency, human review option | |
| Employment law | You use AI in hiring or people management | AI bias assessment, fairness checks, disclosure to candidates | |
| Processed personal data | UK GDPR | You process data of UK residents | All GDPR obligations: lawful basis, transparency, security, rights |
| DUAA | You process UK personal data | Complaint handling, lawful basis documentation, breach response | |
| Connected products | PSTI Act | You sell smart connected devices | Security standards, vulnerability disclosure, update requirements |
| A user platform | Online Safety Act | You operate a user-generated content platform | Content moderation, illegal content removal, duty of care |
Common Scope Questions
“We only use Google Analytics — are we in scope for PECR?”
Yes. Google Analytics sets cookies (_ga, _gid) that track users across sessions. These are not essential cookies — they require user consent before they’re set. PECR applies, and UK GDPR applies to the data those cookies collect.
The same applies to: Facebook Pixel, HubSpot tracking, Hotjar session recordings, embedded YouTube videos, A/B testing tools, live chat widgets, and any third-party script that stores data on the user’s device.
“Our website is purely informational — we don’t collect any personal data.”
If your website has analytics or cookies, you’re processing personal data (IP addresses, browser identifiers). If you have a contact form, newsletter signup, or login, you’re collecting personal data. If you embed third-party content (YouTube videos, social media feeds, live chat), those third parties are processing personal data through your website.
At minimum, even a purely informational website with no forms is likely to have analytics and therefore be subject to PECR and UK GDPR.
“We have EU customers but they’re all businesses — are we in scope for EAA?”
The EAA applies to products and services sold to consumers. B2B-only businesses are generally exempt. But if any of your customers are individuals (even if they’re using your service for business purposes), the EAA applies. And if you sell to EU businesses that may resell to consumers, check your contracts — you may have extended liability.
Microenterprises (fewer than 10 employees and under €2M turnover) have some EAA exemptions, but these are narrower than most assume — they apply only to specific product categories and don’t exempt all digital services.
“We use ChatGPT internally — do we need to comply with the AI Act?”
The EU AI Act’s scope is based on placing AI systems on the EU market or offering them to EU users. If your business uses ChatGPT or similar tools and:
- You have EU customers (whether digital service customers or physical product customers)
- You process EU personal data
- You make decisions about EU individuals (hiring, credit, access to services)
Then the AI Act likely applies. Even if you’re using commercial off-the-shelf tools, you may have obligations around documentation, transparency, and disclosure.
If you use AI to make hiring decisions, employment law obligations apply in addition to the AI Act.
“We’re a small B2B consultancy with one employee — are these regulations really all applicable?”
Yes. There is no small-business exemption for:
- UK GDPR (applies from sole trader upward)
- Equality Act (no size threshold)
- PECR (applies to any website with cookies)
- Employment law (applies with one employee)
- AI Act (if you use AI and have EU exposure)
What varies is your resources to address them. A 3-person business faces the same substantive obligations as a 30-person company — you just implement them with fewer people and may take longer.
Regulatory Interactions
The key insight: regulations don’t operate in isolation. Your exposure in one area often creates obligations in others.
GDPR → Cookies: If your website processes personal data (UK GDPR applies), and you use cookies or tracking to collect that data, then PECR applies AND you need valid lawful bases under GDPR for the processing those cookies enable.
Accessibility → Data Protection: Your privacy policy must be accessible (WCAG). Your cookie consent mechanism must be keyboard-navigable. Your contact form must have accessible form labels. Accessibility intersects with every data collection point.
Employment → Data Protection: Employee data is personal data under UK GDPR. Hiring decisions trigger both employment law and potentially AI Act obligations. Performance data requires appropriate retention policies under GDPR.
AI → Employment: If you use AI in hiring, you’re subject to both the EU AI Act (if you have EU exposure) and employment law anti-discrimination rules.
Data Breach → Multiple domains: A security breach triggers GDPR notification obligations, cybersecurity reporting requirements (if you’re a critical infrastructure provider), employment law implications (if employee data is affected), and insurance obligations.
Scope Changes Ahead
Your regulatory scope isn’t static. These changes arrive in 2026:
- April 2026: Employment Rights Act Phase 1. If you have employees, new obligations apply immediately.
- June 2026: DUAA full implementation + EAA one-year anniversary. Cookie consent rules change. Accessibility enforcement escalates.
- August 2026: EU AI Act high-risk deadline. If you use AI and have EU exposure, obligations tighten.
- October 2026: Employment Rights Act Phase 2 + extended tribunal time limits. Harassment duty applies. Previous employment disputes can now trigger claims years later.
- January 2027: Unfair dismissal qualifying period drops to 6 months. Another employment law escalation.
Your scope in January 2027 will be different from your scope in April 2026. Regulatory compliance isn’t static — it requires annual review and adjustment.
What to Do Now
Start with this table. Identify which rows apply to your business. For each row, you now know which regulation applies and what the core obligation is.
For deeper dives into specific regulations, use the hub’s domain guides:
- Data protection: GDPR Compliance for UK Businesses
- Website accessibility: Website Accessibility & the EAA
- Cookies: Cookie Compliance & PECR
- Employment law: Employment Law Changes 2026
- AI compliance: AI Compliance for UK Businesses
- Cybersecurity: Cybersecurity Compliance & Cyber Essentials
To stay informed about which regulations affect your business and upcoming regulatory changes, subscribe to our fortnightly newsletter.
If you’re ready for a full compliance screening that identifies gaps across all applicable domains, Bartram Complete delivers a cross-domain assessment with a prioritised action plan.