Privacy Policy for Website in the UK: What to Include

If your business has a website, you’re almost certainly collecting personal data in some way - whether that’s through contact forms, analytics cookies, newsletter sign-ups or online orders.

In the UK, that means you need a clear, accurate and compliant Privacy Policy for your website. The good news is that once you understand what the law expects (and what your users need to know), getting this right is very manageable - and it builds trust with customers from day one.

In this guide, we’ll walk through when a Privacy Policy is legally required, what to include, how cookies and email marketing fit into the picture, and a step‑by‑step approach to drafting a policy that meets UK requirements.

Do UK Websites Legally Need A Privacy Policy?

In practice, yes. Under UK privacy law, if you collect or process any personal data via your website, you’re required to give users transparent information about what you collect, why, and how you use it. The simplest and most common way to do that is through a publicly accessible Privacy Policy.

The main laws to be aware of are:

• UK GDPR (as incorporated into UK law) - sets out principles for processing personal data and requires transparent privacy information.
• Data Protection Act 2018 - supplements the UK GDPR and gives the Information Commissioner’s Office (ICO) enforcement powers.
• PECR (Privacy and Electronic Communications Regulations) - covers cookies, direct marketing and similar technologies used on websites.

Together, these laws require you to inform users (in concise, plain English) about who you are, what data you collect, your lawful basis for processing, who you share data with, retention periods, user rights, and more. The easiest way to meet those transparency duties is to publish and maintain a compliant Privacy Policy and link it from every page of your site.

Most UK businesses also pair their privacy statement with a separate Website Terms And Conditions that govern site use, liability and IP. Your Privacy Policy sits alongside those terms and explains your data practices specifically.

What Should A UK Privacy Policy Include?

Your Privacy Policy needs to be tailored to your business and the data you actually collect. That said, most UK policies include the following core sections.

1) Who You Are And How To Contact You

• Your business name, legal entity and trading name (if applicable).
• Registered address and contact details for privacy enquiries.
• Details of your Data Protection Officer (DPO) if you’re required to appoint one, or a contact responsible for data protection.

2) The Personal Data You Collect

Be specific and group by category. For example:

• Identity and contact: name, email, phone, postal address, job title.
• Transactional: order details, payment confirmations (note: payment card data is usually processed by your payment provider).
• Technical and usage: IP address, device IDs, browser type, pages viewed, clickstream data.
• Marketing preferences and communication history.

3) How You Collect Data

• Directly from users (forms, account creation, checkout, support chats).
• Automatically via cookies, pixels and analytics scripts.
• From third parties (e.g. payment processors, advertising networks, social logins) - state this clearly.

4) Your Purposes And Lawful Bases

For each processing activity, list the purpose (why you need the data) and the lawful basis under Article 6 UK GDPR. Common combinations include:

• To provide products/services and manage your account - contract necessity.
• To send service communications - contract necessity or legal obligation.
• To improve the site and measure performance - legitimate interests (with cookie consent where required).
• To send marketing emails or SMS - consent (and PECR applies).
• To prevent fraud and secure systems - legitimate interests or legal obligation.

5) Cookies And Similar Technologies

Explain that you use cookies or similar technologies, for what purposes (e.g. essential site functions, analytics, personalisation, advertising), and link to your standalone Cookie Policy and consent tool settings. Under PECR, non‑essential cookies require consent. Your policy should signpost how users can manage their cookie choices and where they can find more detail on the specific cookies you deploy.

6) Who You Share Data With

List categories of recipients (not necessarily named companies, unless that’s clearer):

• IT hosting and cloud providers
• Payment processors
• Analytics and advertising providers
• Customer support and communications platforms
• Professional advisers and regulators (where required)

If you rely on third parties to process data on your behalf, you should have a Data Processing Agreement in place to meet UK GDPR requirements.

7) International Transfers

If personal data is transferred outside the UK (for example, to the EEA or US), state which destinations and the safeguard used (e.g. UK IDTA, UK Addendum to EU SCCs, or adequacy regulations). If your analytics, email or cloud tools are hosted abroad, this section matters.

8) Data Retention

Explain how long you keep personal data and the criteria used to set those periods (e.g. while an account is active, plus 6 years to meet tax or audit requirements). Be consistent with your retention practices across systems.

9) Security Measures

Briefly summarise the technical and organisational measures you take (access controls, encryption in transit, staff training, supplier due diligence). Avoid making promises you can’t substantiate.

10) User Rights

Set out the rights individuals have under UK GDPR, including:

• Access, rectification and erasure
• Restriction or objection to processing
• Data portability
• Withdrawal of consent (where consent is your legal basis)
• Right to complain to the ICO

Tell users how to exercise these rights and your typical response timeframe. Internally, make sure you can meet Subject Access Request deadlines and handle requests efficiently.

11) Children’s Data (If Applicable)

If your site targets children or you knowingly process children’s data, explain the additional steps you take and ensure your policy aligns with the ICO’s Age Appropriate Design Code.

12) Changes To This Policy

Say how you’ll notify users about material updates (e.g. updated date at the top, in‑site notice for significant changes). Keep version control.

Cookies, Email Marketing And Third Parties: Extra Rules To Cover

Your Privacy Policy needs to connect the dots between your data practices and the additional rules that apply to cookies, marketing and external providers.

Cookies And Consent

PECR requires consent for most non‑essential cookies (analytics, advertising, personalisation). That means:

• Use a consent tool that lets users accept or reject non‑essential cookies before they’re set.
• Present clear choices, not just “OK” - and make rejecting as easy as accepting.
• Document consent signals and provide a link to change preferences later.

Your policy should reference your cookie control, and your separate Cookie Policy should list the types of cookies you use, purposes and durations. For practical implementation tips, this overview on cookie banners is helpful.

Email And SMS Marketing

Direct marketing is regulated by PECR and the UK GDPR. In short:

• Get valid consent for email/SMS marketing, unless you can rely on the “soft opt‑in” for existing customers (strict conditions apply).
• Always include an easy unsubscribe in every marketing message.
• Keep auditable records of consent (who, when, how, and what they were told).

Make sure your Privacy Policy explains your marketing approach and links to opt‑out routes. For a fuller breakdown of the rules, see the guide to Email Marketing Laws.

Working With Processors And Partners

If you use vendors for hosting, analytics, support or fulfilment, they may process data for you. Under UK GDPR, you need appropriate contracts in place, typically a Data Processing Agreement for processors and, where exchanging data with another controller, a proportionate Data Sharing Agreement (if sharing on a controller‑to‑controller basis). Your Privacy Policy should identify the categories of recipients and why you share data with them.

How To Draft A Compliant Privacy Policy For Your Website (Step‑By‑Step)

Here’s a practical way to approach your Privacy Policy without getting overwhelmed.

Step 1: Map Your Data

List every point where your website collects personal data. Think beyond forms - include analytics, live chat, embedded videos, payment gateways, social media pixels, and any plug‑ins. For each, note what’s collected, the purpose, who receives it, where it’s stored, and how long it’s kept.

Step 2: Choose Your Lawful Bases

For each processing purpose, decide your lawful basis and sense‑check it. For example, contract necessity for order fulfilment, legal obligation for invoicing, legitimate interests for fraud prevention, and consent for non‑essential cookies or email marketing (unless soft opt‑in applies). Keep a short record of your reasoning.

Step 3: Tighten Your Vendor Contracts

Confirm you have appropriate terms with your vendors, especially where they process personal data for you. This is where a robust Data Processing Agreement is essential. If you exchange customer data with partners for joint activities, consider the boundaries and whether a controller‑to‑controller data sharing arrangement is in play.

Step 4: Build Or Update Your Cookie Controls

Implement a consent management platform, configure categories (strictly necessary, analytics, advertising, functional), and block non‑essential scripts until consent is given. Pair it with a clear, accessible Cookie Policy, and make sure users can change their choices at any time.

Step 5: Draft Your Policy In Plain English

Use the structure outlined above and write clearly for your audience. Avoid jargon and don’t over‑promise on security or retention. If you don’t yet have one, consider having a lawyer prepare a tailored Privacy Policy that reflects your actual systems and marketing stack.

Step 6: Publish, Link And Keep It Findable

Place the policy at a stable URL (e.g. /privacy-policy) and link to it in your footer and at key collection points (checkout, registration pages, newsletter sign‑ups). Keep the “last updated” date visible.

Step 7: Align Your Internal Processes

Make sure your team knows how to handle rights requests, deletion and corrections. Set up a simple intake process and response templates so you can meet UK GDPR timeframes for Subject Access Requests. Keep data retention and deletion schedules practical and documented.

Step 8: Review Regularly

Revisit your policy whenever you adopt a new tool, start a new campaign, add features, or expand into new markets. A quick quarterly check often catches small changes that need an update.

Common Mistakes To Avoid (And How To Fix Them)

We regularly see small but important gaps in website privacy materials. Here are the big ones to watch out for.

Mistake 1: Copy‑Pasting A Generic Template

Policies copied from other sites or a template rarely match your tech stack or marketing flows. That misalignment can be misleading (and non‑compliant). Fix it by mapping your data and tailoring your policy to reflect your actual plugins, vendors and purposes. Consider pairing a bespoke policy with professionally drafted Website Terms And Conditions so both documents work together.

Mistake 2: Ignoring Cookies Until After Launch

Dropping analytics or ads cookies before consent breaches PECR. Tackle this early: implement consent controls, list your cookies in your Cookie Policy, and make sure your banner meets best practice for transparency and choice. This overview on cookie banners covers common pitfalls.

Mistake 3: Forgetting About Email Marketing Rules

Collecting addresses via a website form doesn’t automatically give you permission to market. Make sure your sign‑up copy is clear, you’re capturing consent (or meeting soft opt‑in conditions), and every message includes an unsubscribe. The summary of Email Marketing Laws is a handy sense‑check.

Mistake 4: Over‑Promising Security

It’s tempting to reassure users with strong language, but avoid absolute promises you can’t evidence (e.g. “military‑grade security” or “we will never share your data”). Keep it accurate and proportionate to your controls and vendor due diligence.

Mistake 5: Not Covering International Transfers

Many common tools host data outside the UK. If you use cloud email, CRM, analytics or chat tools that store data abroad, your policy should say where data goes and the legal safeguards you rely on (e.g. UK IDTA, Addendum, or adequacy). Check your vendors’ documentation and ensure your contracts reflect the transfer mechanism.

Mistake 6: No Processes To Support Your Policy

Even the best policy can fall down in practice if you’re not ready to handle user rights, retention or deletion. Set internal processes and keep a simple log for requests so you can respond on time and track outcomes.

Mistake 7: Missing Links And Poor Visibility

Hiding your Privacy Policy in a hard‑to‑find spot isn’t user‑friendly and could undermine consent flows. Put clear links in your footer, sign‑up forms and checkout. When you ask for consent, link straight to the relevant policy. This approach dovetails neatly with making your terms and notices enforceable through proper presentation.

Key Takeaways

• If your website collects personal data, UK GDPR and the Data Protection Act 2018 require you to provide clear privacy information - a well‑crafted Privacy Policy is the standard way to do this.
• Your policy should cover who you are, what data you collect, why you process it (and on what lawful basis), cookies, sharing, international transfers, retention, security and user rights.
• PECR adds rules for cookies and direct marketing. Use consent controls for non‑essential cookies and capture marketing consent properly with easy opt‑outs.
• Back up your policy with solid contracts and processes: a Data Processing Agreement with processors, a practical Cookie Policy, and internal workflows for rights requests and deletion.
• Publish your policy at a stable URL, link it across your site and keep it updated as your tools and campaigns evolve. Pair it with clear Website Terms And Conditions for a complete set of website legals.
• Getting a tailored Privacy Policy in place early protects your business, builds customer trust and reduces compliance risk as you grow.

If you’d like help drafting or updating your website privacy materials, or you want a fixed‑fee package that covers your Privacy Policy, cookie notices and key data protection documents, our team is here to help. You can reach us on 08081347754 or at team@sprintlaw.co.uk for a free, no‑obligations chat.