Now taking new projects, limited availability each month.

What Is a Privacy Policy and Does Your Website Actually Need One?

If you have ever wondered whether that privacy policy page is just box-ticking or something you genuinely need, you are not alone. The honest answer is: most websites that collect any information from visitors — even just an email address — need one by UK law. Here is what a privacy policy is, why it matters, and how to get one that actually works.

A privacy policy is a page on your website that explains what personal information you collect from visitors, why you collect it, and what you do with it. Under UK GDPR, if your website collects any personal data — including names, email addresses, phone numbers, or even just tracking cookies — you are legally required to have one. This applies to almost every small business website. You do not need a lawyer to write one, but it does need to be accurate, specific to your website, and easy for visitors to find.

Privacy policies became a legal requirement in the UK under the Data Protection Act 2018 and UK GDPR — the UK's version of the European GDPR rules that came into force after Brexit. They are not just a formality that large companies have to worry about. They apply to businesses of all sizes, including sole traders and micro-businesses.

The good news is that writing a privacy policy for a simple small business website is not as complicated as it sounds. Here is how to approach it.

What a Privacy Policy Actually Is

A privacy policy is a document — usually a dedicated page on your website — that tells visitors:

  • What personal information you collect. This could be a name and email address from a contact form, a phone number from a booking system, or technical data collected by Google Analytics about how visitors use your site.
  • Why you collect it. For example: "We collect your email address so we can reply to your enquiry" or "We use Google Analytics to understand how people use our website."
  • What you do with it. Do you store it, share it with anyone, use it for marketing? These all need to be disclosed.
  • How long you keep it. You should not hold onto personal data indefinitely. Specifying a retention period — "we delete enquiry data after 12 months" — is part of complying with UK GDPR.
  • How visitors can request their data or ask you to delete it. Under UK GDPR, individuals have rights over their personal data, including the right to request a copy of what you hold about them.

Does Your Website Collect Personal Data?

Almost certainly yes — even if you think it does not. Here are the most common ways small business websites collect personal data without their owners realising:

  • Contact forms. Any form that asks for a name, email, or phone number is collecting personal data.
  • Google Analytics. Google Analytics collects IP addresses and browsing behaviour. Even though Google does the processing, you as the website owner are responsible for disclosing that you use it.
  • Email newsletter sign-ups. If you collect email addresses for a Mailchimp list or similar, that is personal data collection.
  • Booking systems. Tools like Calendly or any appointment booking widget collect names and contact details.
  • Live chat or chatbot tools. If a visitor types their name or email into a chat widget, that is personal data.
  • Cookies. Advertising and tracking cookies identify users across the web and count as personal data processing.

If your website has a contact form, Google Analytics, or any third-party tool, it almost certainly collects personal data — and you need a privacy policy.

What Happens If You Do Not Have One?

Operating a website that collects personal data without a privacy policy is a breach of UK GDPR. In practice, the Information Commissioner's Office (ICO) — the UK body that enforces data protection law — focuses its enforcement on serious breaches involving large amounts of data or significant harm to individuals. Small businesses are unlikely to face a fine for a missing privacy policy alone.

However, there are other practical risks:

  • Loss of trust. Visitors who notice a missing privacy policy — particularly more privacy-conscious ones — may leave your site and question your professionalism.
  • Complaints. A visitor can file a complaint with the ICO if they believe you are mishandling their data. A missing policy makes this more likely and harder to defend.
  • Contract requirements. If you use tools like Google Analytics or Mailchimp, your contract with those services typically requires you to have a privacy policy. Failing to have one could technically mean you are in breach of their terms.

What to Include in a Privacy Policy for a Small Business Website

A privacy policy for a straightforward small business website does not need to be lengthy. Most of what you need to cover can be addressed in a single page. Here is what to include:

  • Who you are. Your business name, address, and contact details.
  • What data you collect and why. Go through every form, tool, and third-party service on your website and list what each one collects.
  • Your lawful basis for processing. Under UK GDPR you need a legal basis to process personal data. For contact forms, this is usually "legitimate interests" or "consent". For analytics, it is often "legitimate interests".
  • Third parties. If you share data with anyone — Google, Mailchimp, a booking system — you need to name them.
  • How long you keep data. Give a specific timeframe where possible.
  • Individual rights. Explain that visitors can request access to their data, request deletion, or object to processing — and how to contact you to do so.
  • Cookies. If your website uses cookies beyond strictly necessary ones, explain this. This links closely to your cookie banner if you have one.
  • Date last updated. Include the date so visitors know how current the policy is.

Do You Need a Lawyer to Write One?

For a simple small business website, no. There are several legitimate ways to create a compliant privacy policy without paying for legal advice:

  • The ICO's own guidance. The Information Commissioner's Office has free templates and guidance specifically for small organisations at ico.org.uk. This is the most authoritative source and the most relevant to UK law.
  • Privacy policy generators. Tools like Termly or iubenda can generate a reasonably comprehensive policy based on the tools and data practices you describe. They are not perfect substitutes for legal advice, but for a small business website with a contact form and analytics, they cover the basics.
  • A plain-English draft, reviewed once. Writing a clear, honest description of exactly what your website does and getting a one-off review from a data protection consultant is a proportionate option for businesses that handle more sensitive data or larger volumes of customer information.

What you should not do is copy someone else's privacy policy. Policies need to accurately reflect your actual data practices. A copied policy that describes data practices you do not have — or fails to mention ones you do — could cause more problems than having no policy at all.

Where to Put Your Privacy Policy

Your privacy policy needs to be easy to find. Standard practice is to link to it from your website's footer — the bar at the bottom of every page. Most visitors know to look there. You should also link to it from any contact form or sign-up form where personal data is collected.

The page URL does not matter much for legal purposes, but something like /privacy.html or /legal keeps it easy to find and reference.

Frequently asked

Is a privacy policy legally required in the UK?
Yes, if your website collects any personal data — which includes contact form submissions, email sign-ups, and even analytics data. Under the UK GDPR and Data Protection Act 2018, you must inform individuals about how their data is processed. A privacy policy is the standard way of doing this. There is no minimum turnover or company size threshold — the law applies to sole traders and micro-businesses as well as large companies.
Do I need a privacy policy if my website only has a contact form?
Yes. A contact form that collects a name and email address is collecting personal data. You need to explain in a privacy policy why you collect it, what you do with it, how long you keep it, and how the person can ask you to delete it. It does not need to be a long document — a straightforward page covering these points is sufficient.
What is the difference between a privacy policy and a cookie banner?
They are related but different. A privacy policy is a full document explaining all the ways your website handles personal data. A cookie banner is the pop-up that asks visitors to consent to non-essential cookies before they are set. Your privacy policy should include a section about cookies, and your cookie banner should link to your privacy policy. But they serve different purposes — one is about disclosure, the other is about obtaining consent.
Does GitFoundry include a privacy policy when building websites?
GitFoundry-built sites include a legal page with a privacy policy template that covers the most common data practices for a small business website — contact forms, analytics, and cookies. You will need to review it and update it to accurately reflect your specific situation, but the structure and the standard clauses are included as part of every build.