How does the AI know about my business?

We read through your website automatically when you sign up. The AI uses that content to answer questions, so you don’t need to write or upload anything.

Will it give financial advice to visitors?

No. It only shares information that’s already on your website, and every response has a disclaimer making clear it’s not financial advice.

How does lead capture work?

When someone’s interested in your services, the AI asks for their name and email naturally during the conversation. You get the details and a summary by email straight away.

What websites does it work with?

Any website. WordPress, Squarespace, Wix, or custom-built. You add one line of code, same as you would for Google Analytics.

Can I customise the appearance?

Yes. You can change the colours and add custom AI instructions from your dashboard.

What happens when I reach my message limit?

The chat will pause until your next billing month. You’ll get an email when you’re close to the limit. No surprise charges.

The IFA Website GDPR Checklist for 2026

A visitor lands on your IFA website at 10pm. Before they have clicked a single button, your Google Analytics tag has fired, a Facebook Pixel has logged their visit, and a Hotjar recording has started tracking their mouse. None of this is lawful under UK GDPR, and IFA website GDPR compliance is one of the areas the ICO has started paying much closer attention to in 2026.

For years, most financial adviser firms assumed cookie compliance was a box-ticking exercise for big corporates. That assumption no longer holds. In March 2026, the ICO confirmed that 95% of the UK's top 1,000 websites now meet its cookie standards after a year-long enforcement sweep. With the largest sites broadly in line, attention is turning to smaller businesses, and financial services websites sit high on the priority list because of the sensitivity of the data they collect.

This post walks through the rules that actually matter, the failures the ICO is finding most often, and a practical way to audit your own site before a regulator does it for you.

£17.5m

maximum ICO fine, or 4% of global turnover

Source: ICO

Why are IFA websites a regulatory priority?

Your website collects two categories of information that make regulators pay attention. The first is personal data in the UK GDPR sense: names, email addresses, phone numbers, and often pension values, dates of birth, or mortgage details submitted through contact forms. The second is behavioural data from cookies and tracking scripts, which falls under the Privacy and Electronic Communications Regulations (PECR), not UK GDPR directly.

Financial services sits in a difficult spot. The FCA's Consumer Duty requires firms to act in good faith with retail clients, and the FCA has explicitly said that includes transparent handling of data. The ICO and FCA signed a memorandum of understanding agreeing to share information about firms that fail on both fronts. A cookie banner that tricks users into consenting can now be a Consumer Duty issue as well as a GDPR one. For more on how Consumer Duty shapes your website, see our guide to Consumer Duty and your IFA website.

Put plainly: the two regulators are talking to each other, and the cost of getting this wrong has gone up.

What does GDPR compliance actually mean for your website?

Most IFAs conflate "GDPR" with "cookie banner". The scope is wider. A compliant IFA website has to handle six things properly:

Cookie consent before non-essential trackers fire
A clear, accessible privacy policy specific to your firm
A lawful basis for every form of data processing
Secure handling of data submitted through forms or chat
A documented retention schedule
A named route for subject access and deletion requests

Each of these maps to a specific article of UK GDPR or PECR. Missing any one is enough to fail an audit.

The 2026 IFA website GDPR checklist

Walk through your own site with this list open. Anything you cannot tick off with evidence is an exposure.

1. Cookie consent is a genuine choice. The reject button has to be as prominent as the accept button. No pre-ticked boxes. No "accept or leave" dark patterns. Scrolling or ignoring the banner does not count as consent under UK law.

2. Trackers are blocked until consent is given. If your Google Analytics, Meta Pixel, or LinkedIn tag fires before the user clicks accept, you are not compliant, no matter how polished the banner looks. Use a proper consent management platform or Google Consent Mode v2 to hold these tags back.

3. Your privacy policy lists every processor. Not a template you bought in 2020. An actual list of every company that receives data from your site: your email platform, CRM, analytics tool, chat widget, form builder, hosting provider.

4. Your legal basis for processing is documented. For enquiry forms, it is usually "legitimate interest" or "consent". Either is fine, but you need to know which you rely on and why. If you use legitimate interest, you need a balancing test on file.

5. Marketing consent is separate from enquiry consent. A visitor filling in a contact form has not agreed to your monthly newsletter. The opt-in for marketing needs its own tick box, never pre-ticked.

6. Data retention has a specified period. "We keep data for as long as necessary" is not compliant. You need to say how long. Most IFAs retain client data for at least seven years after a relationship ends because of FCA record-keeping rules, but website enquiry data that never became a client should usually be deleted within 24 months.

7. Subject access requests have a named responder. Someone in the firm must know what to do when an email lands asking for "all data you hold about me". You have 30 calendar days to respond.

8. Your chat widget and form data are encrypted in transit and at rest. HTTPS is the minimum. If any tool you use stores unencrypted pension values or National Insurance numbers, that is a data protection by design failure under Article 25.

Feature	Non-compliant banner	Compliant banner
Reject is as prominent as accept	✘	✔
No pre-ticked boxes	✘	✔
Trackers blocked until consent	✘	✔
Scrolling does not imply consent	✘	✔
Lists purpose of each cookie category	Sometimes	✔
Easy to withdraw consent later	✘	✔

Where are most IFA websites falling short?

Three failure patterns show up again and again on adviser sites.

The first is the template privacy policy. A firm paid a compliance consultancy £300 for a policy in 2018, pasted it onto the site, and never updated it. It still references "the EU General Data Protection Regulation" rather than UK GDPR. It lists Mailchimp as the email provider when the firm moved to HubSpot three years ago. Any subject access request that lands at a generic privacy@ address bounces.

The second is the banner that was never actually wired up. The "accept all" click does not set any preferences. The "reject all" click does not block anything. Both options load every tracker on the site identically. This is surprisingly common with cheap WordPress plugins installed once and forgotten.

The third is form-data sprawl. A visitor fills in a contact form. That data ends up in the CRM, in a copy emailed to the adviser's personal Gmail, in a Google Sheet that powers an internal dashboard, and in an automated Slack notification. Each of those systems is a processor. None of them are listed in the privacy policy. When the visitor later asks for deletion, only the CRM copy actually gets removed.

How do chat widgets and contact forms change things?

Any tool that collects visitor data is a data processor under UK GDPR, and you are the data controller. The rules are the same whether you use a contact form, a Calendly embed, a chat widget, or an AI assistant.

For a chat widget specifically, three things matter. First, the widget should not load third-party scripts before the visitor engages with it. A passive widget sitting in the corner should not be calling home until someone clicks it. Second, when a visitor does give contact details, the data should be encrypted and stored in a UK or EU data centre where possible. Third, the retention period for chat transcripts needs to be set and documented, not left as "forever".

If you are evaluating chat tools for your adviser website, ask the vendor directly where data is stored, who has access, and what their position is on the US CLOUD Act. Any tool hosted in the US that cannot answer clearly is worth checking with your DPO before deploying.

What happens if the ICO audits and finds problems?

Most ICO enforcement action against smaller firms does not result in fines. The usual path is a formal reprimand, a required action plan, and a follow-up audit. Reprimands are published on the ICO website and are visible to clients, professional indemnity insurers, and anyone running due diligence on your firm.

Where fines do happen, they can be severe. The statutory maximum is £17.5 million or 4% of global annual turnover, whichever is higher. In practice, enforcement against small financial services firms has fallen in the £5,000 to £50,000 range, but the reputational damage of appearing on the ICO enforcement register is the bigger concern for most IFAs.

Make your IFA website audit-ready

Good GDPR practice is not about fearing the ICO. It is about treating visitor data the same way you treat client data: carefully, transparently, and with a clear record of what you do with it. Firms that get this right also tend to convert better, because visitors trust a site that explains itself.

ChatIFA is built with UK GDPR and PECR in mind. Chat data stays in UK infrastructure, retention is set by you, and the widget does not load or track anything until a visitor opens the chat. Try the instant demo at chatifa.co.uk, or start a free trial with 25 messages and no payment details.