Website compliance for solicitors & law firms
Solicitor websites face a unique regulatory burden. Beyond GDPR, you’re subject to SRA transparency rules, anti-money laundering regulations, legal professional privilege obligations, and Legal Ombudsman requirements. A generic privacy policy doesn’t begin to cover it. Here’s what your firm’s website actually needs.
Why solicitor websites have extra compliance requirements
Every UK business website needs to comply with GDPR, PECR, the Consumer Rights Act, and the Companies Act. But solicitor websites sit in a more complex regulatory landscape because the SRA (Solicitors Regulation Authority) imposes additional transparency and disclosure requirements on top of these general obligations.
Since November 2019, the SRA has required law firms to publish pricing information for specific types of legal work on their websites. This was expanded and reinforced in subsequent updates. Firms that fail to comply risk regulatory action from the SRA, which can include fines, conditions on practice, and in serious cases, intervention.
On top of that, solicitors handle some of the most sensitive personal data of any profession: details of legal disputes, criminal matters, financial information, family proceedings, and health records. The combination of sector-specific regulation and data sensitivity means solicitor websites need significantly more than a downloaded template.
SRA transparency rules: what your website must display
The SRA Transparency Rules require regulated firms to publish pricing and service information for the following areas of law (where the firm offers them):
- Residential conveyancing — total cost or basis of charging, stages of the process, typical timescales, disbursements (searches, Land Registry fees, SDLT)
- Probate (uncontested) — total cost or hourly rate, what’s included, likely disbursements (probate registry fee, valuations), typical timescales
- Motoring offences — fixed fee or hourly rate for common offences, what’s covered at each stage
- Employment tribunal claims (employee side) — fee structure, stages, likely costs at each stage
- Immigration — application types, total costs, Home Office fees, typical timescales
- Debt recovery (up to £100,000) — costs at each stage, court fees, enforcement costs
- Licensing applications — types covered, total costs, council fees
For each service area, you must publish:
- The total cost of the service, or the basis for your charges (hourly rate, fixed fee, or a range)
- What services are included in the stated cost
- Any likely disbursements and their approximate cost
- Whether VAT is included or additional
- Typical timescales for the matter
- Key stages of the process and what the client can expect at each stage
- Qualifications and experience of the people who will carry out the work
Key point: The SRA transparency rules apply even if you only offer one of the listed service areas. If your firm does any residential conveyancing or uncontested probate, for example, you must publish pricing information for those services on your website. “Prices available on request” does not satisfy the requirement.
The SRA digital badge
The SRA provides a digital badge — a clickable logo that links to your firm’s entry on the SRA website, confirming your regulatory status, authorised activities, and any conditions on your practice. The SRA strongly encourages all regulated firms to display the badge on their website.
While displaying the badge is not strictly mandatory under the SRA Standards and Regulations, it is best practice and serves as a significant trust signal for potential clients. Our scanner checks for the presence of the SRA digital badge and flags its absence as a warning.
Your website should also clearly state that the firm is authorised and regulated by the SRA, with your SRA ID number and a link to the SRA website where clients can verify your status.
Privacy policy: what solicitors must cover beyond standard GDPR
Legal professional privilege
Solicitor-client communications benefit from legal professional privilege (LPP), which protects them from compelled disclosure. Your privacy policy should explain that privileged communications are handled with additional protections beyond standard personal data. It should also note that LPP may affect how you respond to data subject access requests — specifically, that privileged material may be withheld from a subject access request where disclosure would waive privilege.
Anti-money laundering data
Under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017, solicitors must conduct customer due diligence (identity verification, source of funds checks) and retain this data for five years after the end of the business relationship. Your privacy policy must disclose this processing, state the legal basis (legal obligation), and explain the five-year retention period.
Crucially, if you make a Suspicious Activity Report (SAR) to the National Crime Agency (NCA), you must not disclose this to the client — “tipping off” is a criminal offence under section 333A of the Proceeds of Crime Act 2002. Your privacy policy should not reference SARs specifically, but should note that certain legal obligations may prevent you from informing clients about specific data processing activities.
Regulatory data sharing
Solicitors share data with various regulatory bodies: the SRA (regulatory returns, complaints data), the Legal Ombudsman (if a complaint is escalated), the Legal Aid Agency (for legal aid matters), HMRC (for tax compliance), and the Land Registry (for conveyancing). Your privacy policy must name the categories of recipients and explain the legal basis for each type of sharing.
Client care letter integration
The SRA Code of Conduct requires firms to provide clients with information about how their matter will be handled, including costs, complaints procedures, and regulatory status. Your privacy policy and your client care letter should be consistent — if the client care letter promises certain data handling practices, the privacy policy should reflect them.
Retention periods
Law firms have specific retention requirements:
- Client matter files: typically 6 years after the matter closes (12 years for matters under seal or involving minors)
- AML records: 5 years after the end of the business relationship (Money Laundering Regulations)
- Accounting records: 6 years (SRA Accounts Rules)
- Wills: indefinitely (or until the testator’s death and administration of the estate)
- Title deeds: until the client requests their return
- Complaints records: retained in accordance with SRA requirements
Terms of engagement and complaints
Your website’s terms of service or terms of engagement should include:
- Complaints procedure — the SRA requires you to have a written complaints procedure and to inform clients of it. Your website should detail the internal complaints process, the timescales for responding, and the right to escalate to the Legal Ombudsman within six months of the end of the internal process (and within six years of the act/omission or three years of when the client knew about it).
- SRA regulatory status — a clear statement that the firm is authorised and regulated by the SRA, with your SRA ID number.
- Professional indemnity insurance — confirmation that the firm holds PII in accordance with the SRA Minimum Terms and Conditions.
- Lien rights — your right to retain papers and documents until outstanding fees are paid (solicitor’s lien).
- Interest policy — how you handle interest earned on client money held in your client account, in accordance with the SRA Accounts Rules.
Legal Ombudsman referral window: Clients must refer complaints to the Legal Ombudsman within six months of the date of your final internal response, and within six years of the act or omission (or three years from when the client should have known there were grounds for complaint). Your website should state these timeframes accurately.
Cookie consent and website tracking
Law firm websites frequently use Google Analytics, LinkedIn tracking pixels, and live chat widgets — all of which set cookies requiring consent under PECR. The Data Use and Access Act 2025 introduced changes to how cookie consent works in the UK, so if your setup hasn’t been reviewed since June 2025, it likely needs updating.
Your cookie consent banner must offer a genuine reject option that is equally as prominent as the accept button. A separate cookie policy should list each cookie, its purpose, the provider, and its duration.
Companies Act requirements
If your firm is a limited company or LLP, your website must display: the company or LLP name as registered, the registration number, the registered office address, the place of registration (e.g. “Registered in England & Wales”), and your VAT number if registered. These requirements apply under the Companies Act 2006 (section 82) and the Limited Liability Partnerships Regulations.
Common compliance gaps on solicitor websites
- Missing SRA pricing transparency — the most common gap. Firms offer conveyancing or probate but don’t publish pricing on their website.
- No SRA digital badge — missing the clickable badge that confirms regulatory status.
- Generic privacy policy — no mention of legal professional privilege, AML retention, or regulatory data sharing with the SRA, Legal Ombudsman, or NCA.
- Complaints procedure doesn’t reference the Legal Ombudsman — or states incorrect referral timescales.
- Missing retention periods — particularly for AML records (5-year statutory requirement) and client files (6/12-year standard).
- Cookie consent banner absent or non-compliant — despite using analytics and live chat tracking.
- No accessibility statement — required under the Equality Act 2010.
Get your law firm website compliant
We check your website against GDPR, PECR, SRA transparency rules, Companies Act, and Equality Act requirements — then deliver a complete compliance pack with sector-specific clauses for solicitors. From £49.
Get your compliance fix — £49Frequently asked questions
What are the SRA transparency rules for websites?
The SRA requires solicitors to publish pricing information for certain services including conveyancing, probate, employment tribunals, immigration, debt recovery, and licensing. You must display total costs or a clear basis for charging, what’s included, disbursements, VAT, and likely timescales.
Do solicitors need a privacy policy?
Yes. Solicitors handle highly sensitive personal data including legal matters, financial information, and sometimes criminal records. UK GDPR requires a comprehensive privacy policy. The SRA Code of Conduct also requires firms to comply with data protection legislation.
What is the SRA digital badge and do I need it?
The SRA digital badge is a clickable logo that links to your firm’s entry on the SRA website, confirming your regulatory status. While not strictly mandatory, the SRA strongly encourages it and it serves as a significant trust signal for potential clients.
How does legal professional privilege affect GDPR compliance?
Privileged communications are protected from compelled disclosure. Your privacy policy should explain that privileged material is handled with additional protections and that LPP may affect how you respond to data subject access requests.
How long must solicitors keep AML records?
Under the Money Laundering Regulations 2017, customer due diligence records must be retained for five years after the end of the business relationship. This is a statutory requirement that overrides any shorter retention period in your general data retention schedule.
Last updated: 22 February 2026 · This article is for informational purposes and does not constitute legal advice. For complex situations, consult a solicitor.