Your agency delivered a nice-looking website. You paid the invoice. They moved on to the next client.
What they probably didn't do — and what almost no web agency proactively does — is make sure your website is actually legal under UK law.
Not "looks professional." Not "loads fast." Legal. As in: not opening you up to fines, enforcement action, or complaints under data protection law, accessibility regulations, or consumer protection requirements.
This isn't a scare piece. It's a practical checklist of what's missing from most trade business websites and what it means for you as the business owner whose name is on the site.
What "legally compliant" actually means for a trade website
When most people hear "legal website," they think of solicitors. But compliance applies to every business that has a website — including plumbers, electricians, roofers, and builders.
There are five areas that catch UK tradespeople out most often.
1. UK GDPR and your contact form
If your website has a contact form — and virtually every trade website does — you are collecting personal data. A name, a phone number, an email address: all of it falls under the UK General Data Protection Regulation (UK GDPR), which retained the core of EU GDPR after Brexit.
The moment someone submits that form, you're legally a data controller. That comes with obligations:
- You must have a published Privacy Policy that explains what data you collect, why, how long you keep it, and who you share it with
- You must have a lawful basis for processing the data (legitimate interest or consent, most likely)
- If you use that data to send marketing, you need explicit consent
The penalty for getting this wrong? The ICO (Information Commissioner's Office) can issue fines of up to £17.5 million or 4% of annual global turnover — whichever is higher. For a small business, even a £2,000–£10,000 enforcement notice would be devastating.
Most agency-built sites have a contact form. Fewer than half have a compliant Privacy Policy. Almost none walk you through what you're actually committing to.
2. Cookie consent — and why "I use Google Analytics" is not enough
Google Analytics is on almost every agency-built trade website. So is the Facebook Pixel, if the agency ran any ads. Both of these drop cookies onto your visitors' devices, track their behaviour across the web, and send that data to third parties.
Under the UK GDPR and the Privacy and Electronic Communications Regulations (PECR), you must:
- Tell visitors what cookies you use and why
- Get explicit consent before setting non-essential cookies
- Give users the ability to refuse or withdraw consent easily
A banner that says "We use cookies. By continuing, you agree" does not meet the legal standard. Consent must be specific, informed, and freely given — which means visitors need a real "Accept" and "Reject" option, not just an "OK" button.
Most agency-built sites either have no cookie banner at all, or have one that doesn't actually block cookies before consent is given. Both are non-compliant.
3. Your privacy policy — if you even have one
Even if your agency included a Privacy Policy, there's a reasonable chance it's a generic template that doesn't match how your site actually works.
A compliant Privacy Policy must be specific to your business. It needs to accurately describe:
- Exactly what personal data you collect (name, email, phone, IP address, browser data via analytics)
- Why you collect each type of data
- Your lawful basis for processing it
- How long you retain it
- Who you share it with (Google, your email provider, your CRM, your GHL account)
- How individuals can exercise their rights (access, deletion, correction)
A copy-pasted policy from another website — even a similar trade business — almost certainly doesn't cover your actual data flows. If the ICO ever investigates a complaint, they will look at whether your policy reflects reality.
4. Website accessibility — the Equality Act 2010
This one surprises people. The Equality Act 2010 requires businesses to make reasonable adjustments so that disabled people are not placed at a substantial disadvantage. That includes your website.
The Web Content Accessibility Guidelines (WCAG) 2.1 Level AA is the accepted standard. Common failures on agency-built trade websites include:
- Images without alt text (screen reader users can't understand them)
- Insufficient colour contrast (visually impaired users can't read the text)
- No keyboard navigation (users who can't use a mouse are locked out)
- Contact forms with no labelled fields (assistive technology can't interpret them)
You don't need to be a multinational to face an accessibility complaint. The Equality and Human Rights Commission can receive complaints from any UK resident. Smaller businesses have received legal letters from third-party accessibility advocates.
Most agencies don't run an accessibility audit before launch. Most don't mention it at all.
5. Company information — the Companies Act 2006
If you operate as a limited company, the Companies Act 2006 requires you to display the following on your website:
- Your full registered company name
- Your company registration number
- Your registered office address
- If VAT registered: your VAT registration number
If you're a sole trader, the requirements are lighter but you still need to be transparent about who is operating the business.
Many agency-built websites for LTD companies don't include this information in the footer. It's a simple fix — but it's one that agencies rarely flag and clients rarely know to ask for.
Why your agency didn't tell you any of this
Web agencies are in the business of building websites. They're judged on how the site looks, how fast it loads, and whether the client is happy enough to pay the final invoice.
Legal compliance is a different discipline. It sits at the intersection of data protection law, consumer law, and accessibility regulation. Most agencies don't have that expertise in-house. Many are also running non-compliant websites for their own business.
The uncomfortable truth is that signing off on a legal checklist slows down projects, creates friction, and could open the agency to uncomfortable questions about sites they've already delivered. It's easier not to raise it.
That leaves you — the business owner — holding the liability.
What a legally compliant trade website actually looks like
A compliant trade website isn't harder to build. It just requires someone to think about it upfront and check the right boxes.
At minimum, every trade business website should have:
Documentation in place:
- A Privacy Policy that accurately describes your data flows
- A Cookie Policy that lists every cookie by name and purpose
- Terms and Conditions if you take bookings or payments online
Technical implementation:
- A cookie consent banner that blocks non-essential cookies until the user actively accepts
- All forms sending data to a GDPR-compliant CRM or email system
- Data retention settings configured (e.g., Google Analytics anonymisation enabled)
Accessibility basics:
- All images with descriptive alt text
- Body text meeting WCAG 2.1 AA contrast ratios (4.5:1 minimum)
- All form fields labelled correctly for screen readers
- The site navigable by keyboard without a mouse
Company information:
- Registered company name, number, and address in the footer (for LTDs)
- VAT number if VAT registered
None of this is complex. All of it is avoidable in about an afternoon, if the person building your website cares enough to check.
The question to ask any agency before you sign
The next time you're talking to a web agency — or reviewing your current site — ask them one question:
"Can you walk me through how this site handles GDPR, cookie consent, and accessibility compliance?"
If they look blank, change the subject, or say "we'll sort that out after launch" — you have your answer about how much they've thought about it.
Your website is a legal document the moment it goes live. The business name on it is yours. The liability is yours too.
APLeads builds lead capture systems for UK tradespeople. Every website we build includes GDPR-compliant contact forms, cookie consent, privacy documentation, and accessibility-checked components — because we think compliance should come as standard, not as an add-on.