Do I need a privacy policy on my small business website?
If your website collects any data from visitors — even a contact form or analytics — you need a privacy policy. Here's what it has to say and how to set one up in under an hour.
Quick answer
Yes. If your website has a contact form, uses analytics, sets cookies, accepts payments, or collects any personal data from visitors (including just an email address), you're legally required to have a privacy policy under GDPR (UK/EU), CCPA (California), and most equivalent laws worldwide. The good news: for a typical small service business website, a privacy policy takes 30–60 minutes to write using a generator, doesn't need a lawyer, and is cheap insurance against fines and complaints.
Step-by-step
- 1
What a privacy policy is for
A privacy policy is a public statement telling visitors what personal data you collect, why, what you do with it, who you share it with, how long you keep it, and what rights they have to access or delete it. It's a legal requirement under data protection laws in most countries — including the UK (UK GDPR), EU (GDPR), California (CCPA/CPRA), and many other jurisdictions. It's also a credibility signal — visitors who notice you don't have one tend to trust your business less.
- 2
When you specifically need one
You need a privacy policy if your website does ANY of these things: collects contact form submissions, uses Google Analytics or any analytics tool, sets cookies (almost any modern site does), accepts payments, has a newsletter signup, embeds a Google Map, embeds YouTube videos, embeds social media widgets, has a chat widget, or collects any data through any means. For practical purposes: every modern website needs a privacy policy. The list of websites that don't need one is essentially 'static brochure sites with no forms, no analytics, no cookies, and no third-party embeds' — almost nothing.
- 3
What it needs to include
At minimum: your business name and contact details (so visitors know who controls their data); what data you collect (names, emails, IP addresses, cookies, etc.); how you collect it (forms, analytics, cookies); why you collect it (legal basis under GDPR: usually contract, legitimate interest, or consent); who you share it with (your email provider, your form tool, your analytics tool, payment processor); how long you keep it; what visitors' rights are (access, deletion, correction, portability); how they can exercise those rights; and any third-party services you use that process visitor data. For UK/EU sites, you also need to name a Data Protection Officer if required, and provide your ICO registration number if applicable.
- 4
How to create one without a lawyer
Two practical paths. One: use a reputable free or low-cost privacy policy generator — Termly, iubenda, FreePrivacyPolicy, or PrivacyPolicies.com. Answer a 20-minute questionnaire about your business and the tools you use, and you get a tailored policy. Two: many modern website builders (Adviita, Wix, Squarespace) generate a starting privacy policy automatically based on what your site does. In both cases, ALWAYS read the output and fill in business-specific details (your name, address, contact). Don't just copy someone else's policy from another website — that's both a copyright issue and won't accurately describe what YOUR site does, which is the whole legal point.
- 5
Where to put it and how to link to it
Two places. First: a dedicated /privacy or /privacy-policy page on your website with the full text. Second: a link to that page in your website footer on every page, AND a checkbox or notice on any form that collects data (your contact form, newsletter signup, etc.) saying 'I have read and agree to the privacy policy', linking to it. For EU/UK visitors, this consent is required to be 'freely given, specific, informed, and unambiguous' — a pre-ticked box doesn't count.
- 6
Update it when your site changes
Add a new analytics tool? Update your privacy policy. Add a chat widget? Update your privacy policy. Add a new contact form for a different service? Check whether the policy still describes everything accurately. The legal exposure isn't from having a 'wrong' policy — it's from having a policy that doesn't accurately describe what you actually do. Set a calendar reminder every six months to re-read it against your current site.
Tips & best practices
- ▸If you use Adviita, a privacy policy template is generated automatically when you build your site — fill in your business details and you're done in under five minutes.
- ▸A privacy policy isn't the same as terms of service or a cookie banner — you may need all three depending on what your site does. The privacy policy is about personal data; terms of service are about how visitors can use your site; the cookie banner is about consent to set cookies.
- ▸Don't pay a lawyer for a privacy policy unless your business handles sensitive data (medical, financial, children's data) or you operate in heavily regulated jurisdictions. For a typical service business, a generator or builder template is more than enough.
Common questions
What happens if I don't have a privacy policy?
+−
Practical risks: visitor complaints to data protection authorities (ICO in the UK, CNIL in France, etc.), fines that can be substantial (UK GDPR fines start at £8,700 and can climb to 4% of annual revenue), and reduced credibility with prospective customers. Most small businesses are unlikely to face a major fine, but the cost of having one is so low that there's no good reason to skip it.
Can I copy a privacy policy from another business?
+−
No, for two reasons. One: it's copyrighted content. Two: it won't accurately describe YOUR business and the tools YOU use, which means it doesn't fulfil its legal purpose. Use a generator or your builder's template and customise.
Do I need a different privacy policy for UK, EU, and US visitors?
+−
Most generators produce a single privacy policy that covers all major jurisdictions (UK GDPR, EU GDPR, CCPA/CPRA in California). For a small business serving multiple countries, one well-written global policy is usually sufficient. If you handle large volumes of sensitive data from a specific jurisdiction, consider getting that policy reviewed locally.
How is a privacy policy different from a cookie banner?
+−
The privacy policy is a static page that describes what you do with personal data. The cookie banner is a pop-up or banner asking visitor consent BEFORE you set non-essential cookies (analytics, advertising). UK/EU law requires both for most sites. Adviita generates both automatically.