Do I need a privacy policy on my website UK?

Yes. If your website collects any personal data — including through contact forms, email signups, analytics cookies, or payment processing — UK GDPR requires you to have a privacy policy. This applies to businesses of all sizes, including sole traders.

What happens if I don't have a privacy policy?

You risk ICO enforcement action, fines of up to £17.5 million or 4% of annual turnover, customer complaints, and reputational damage. The ICO can also issue enforcement notices requiring you to change your practices within a set timeframe.

What must a UK privacy policy include?

UK GDPR Articles 13 and 14 require your privacy policy to include: your identity and contact details, what data you collect and why, the legal basis for each type of processing, who you share data with, any international transfers, how long you keep data, individuals' rights (access, rectification, erasure, etc.), the right to complain to the ICO, and whether you use automated decision-making.

Published 8 March 2026 · 7 min read · By ComplianceFix

Do I need a privacy policy on my website?

Q: Can I just copy someone else's privacy policy?

No. Your privacy policy must accurately describe YOUR data processing activities. Copying another business's policy will likely be inaccurate — they may use different tools, collect different data, or operate in a different sector. An inaccurate privacy policy can be worse than not having one because it creates false expectations.

Short answer: yes. If your website collects any personal data — and it almost certainly does — UK GDPR requires you to have a privacy policy. Here’s exactly when you need one, what it must include, and what the consequences are if you don’t have one.

The quick test

Does your website do any of the following?

Has a contact form
Has an email address that people can write to
Uses Google Analytics (or any analytics tool)
Has a cookie banner or sets any cookies
Accepts online payments
Has an email signup or newsletter form
Uses a live chat widget
Embeds YouTube videos, Google Maps, or social media widgets
Uses Facebook Pixel, LinkedIn Insight Tag, or any marketing tracker
Has a booking or appointment system

If you ticked even one of these, your website collects personal data and you need a privacy policy. In practice, this means virtually every business website in the UK needs one.

Even Google Analytics counts. Google Analytics collects IP addresses, which are personal data under UK GDPR. If you’ve installed GA on your website — even if you never look at the data — you are processing personal data and need a privacy policy that discloses it.

What the law actually says

UK GDPR Articles 13 and 14 require you to provide individuals with specific information when you collect their personal data. The privacy policy is the standard way businesses meet this obligation. The Data Protection Act 2018 reinforces this in UK law.

The requirement applies to every organisation that processes personal data, regardless of size. A sole trader plumber with a one-page website has the same legal obligation as a multinational corporation. The scale of the privacy policy will differ, but the requirement is identical.

What your privacy policy must include

UK GDPR Articles 13 and 14 specify exactly what information you must provide. Your privacy policy needs to cover:

Your identity and contact details — who is the “data controller” (your business name, address, and a contact email)
What data you collect — the categories of personal data (names, emails, IP addresses, payment details, etc.)
Why you collect it — the purposes of processing (to provide services, to send marketing, to analyse website traffic)
The legal basis for each purpose — consent, contract, legal obligation, or legitimate interests. You must state the specific basis for each type of processing, not just pick one.
Who you share data with — categories of recipients (payment processors, email marketing tools, analytics providers, regulators)
International transfers — if any data leaves the UK (Google Analytics transfers data to the US, for example), you must explain the safeguards in place
How long you keep data — specific retention periods for each category of data, not just “as long as necessary”
Individual rights — the right to access, rectify, erase, restrict, object, and data portability
Right to complain to the ICO — you must tell people they can complain to the Information Commissioner’s Office, with contact details
Automated decision-making — if you use it, you must explain the logic, significance, and consequences

What happens if you don’t have one

The consequences of not having a privacy policy range from mild to severe:

ICO enforcement. The ICO can investigate your business following a complaint or as part of a sector audit. They can issue enforcement notices (requiring you to fix the problem within a deadline), assessment notices (requiring you to allow an audit), and monetary penalties. Maximum fines under UK GDPR are £17.5 million or 4% of annual turnover, whichever is higher. For small businesses, fines are typically in the hundreds to low thousands, but the process itself is disruptive and stressful.

Customer complaints. Any individual can complain to the ICO about your data handling for free. If a customer is unhappy with how you’ve handled their data and discovers you don’t have a privacy policy, they have a straightforward complaint to make. The ICO is obliged to investigate complaints.

Reputational damage. Being listed on the ICO’s enforcement actions page is public and permanent. Potential customers who search for your business may find it.

Contract issues. Many B2B contracts now require suppliers to demonstrate GDPR compliance. Not having a privacy policy makes it harder to win business contracts.

“But I’m just a small business…”

Size doesn’t determine whether you need a privacy policy. The requirement is triggered by processing personal data, not by business size, turnover, or number of employees. A one-person business with a WordPress website and a contact form processes personal data and needs a privacy policy.

What size does affect is the level of detail required. A sole trader with a simple brochure website needs a shorter, simpler privacy policy than a company with an e-commerce platform, customer database, and marketing automation. But both need one.

Can I use a free template?

Free templates are better than nothing, but they have significant limitations:

They’re generic. A template doesn’t know what tools your website uses (Stripe, Mailchimp, Google Analytics), what sector you’re in, or what data you specifically collect.
They’re often out of date. UK data protection law changed with the Data Use and Access Act 2025 — templates written before June 2025 may not reflect current requirements.
They may be for the wrong jurisdiction. Many free templates are written for US or EU law, not UK GDPR specifically.
They don’t cover sector-specific requirements. A garage handling MOT data, a salon storing allergy records, or a solicitor with AML obligations all need sector-specific clauses that no generic template includes.

The ICO does provide a privacy notice template tool which is a reasonable starting point, but it still requires you to understand your own data processing activities well enough to complete it accurately.

Get a privacy policy built for your business

We scan your website, identify your sector, detect the tools you use, and build a privacy policy that actually reflects what your business does. Plus terms and conditions, cookie policy, and accessibility statement. From £49.

Get your compliance fix — £49

It’s not just a privacy policy

While the privacy policy gets the most attention, UK websites also need to comply with several other regulations:

Cookie consent (PECR) — a banner with a genuine reject option if you use any non-essential cookies
Cookie policy — explaining what cookies your site uses and why
Terms and conditions — especially if you sell goods or services (Consumer Rights Act 2015)
Accessibility statement — Equality Act 2010 and WCAG 2.1 Level AA
Company information — registration number, registered address, VAT number (Companies Act 2006, E-Commerce Regulations 2002)

Getting all of these right is what turns a compliant-looking website into a genuinely compliant one.

Frequently asked questions

Do I need a privacy policy if I only have a simple website?

Almost certainly yes. Even a simple brochure website typically uses Google Analytics (which collects IP addresses) and may have a contact form or email link. If any personal data is collected or processed, you need a privacy policy.

Do sole traders need a privacy policy?

Yes. The requirement is based on processing personal data, not on business size or structure. A sole trader who collects customer names and email addresses has the same obligation as a large company.

Can I just copy someone else’s privacy policy?

No. Your privacy policy must accurately describe your data processing activities. Copying another business’s policy will likely be inaccurate and could create legal problems. An inaccurate privacy policy can be worse than not having one because it sets false expectations.

How often should I update my privacy policy?

Whenever your data processing activities change — for example, when you add new tools to your website, start collecting new types of data, or change how you use existing data. You should also review it when regulations change (as happened with the Data Use and Access Act 2025). At minimum, review it annually.

Where should the privacy policy be on my website?

It should be accessible from every page, typically via a link in the footer. It must be easy to find — burying it behind multiple clicks is not compliant. Best practice is a clearly labelled “Privacy Policy” link in your website footer.

Last updated: 8 March 2026 · This article is for informational purposes and does not constitute legal advice.