Website Privacy Policy In The UK: What To Include

If your website collects any personal information – from contact forms to analytics cookies – you’re expected to be transparent about what you collect and why. That’s where a clear, compliant website privacy policy comes in.

Getting this right isn’t just about ticking a legal box. A strong privacy policy builds trust with customers, reduces regulatory risk, and sets your business up to scale safely.

In this guide, we’ll explain when you need a website privacy policy under UK law, what it must contain, how cookies and consent fit in, and a practical process to create or update yours.

What Is A Website Privacy Policy (And Do You Need One)?

A website privacy policy is a public statement that explains how your business collects, uses, shares and protects personal data from people who visit your site or use your services. It should be easy to find (typically in your footer), written in plain English and tailored to what your business actually does.

If your site collects personal data, you need one. In practice, most business sites do – for example if you:

• Run analytics (e.g. Google Analytics) or use tracking pixels
• Offer contact forms, newsletter sign-ups or account registration
• Sell products or services online and process payments
• Embed third-party tools (live chat, video, maps, ad networks)

Even a simple brochure site can capture personal data via server logs or basic analytics. That’s why most UK businesses should publish a tailored, up-to-date privacy policy.

It’s also smart to pair your privacy policy with clear Website Terms and Conditions to govern how visitors can use your site, your IP rights, disclaimers and liability limits.

Which UK Laws Affect Your Website Privacy Policy?

Your website privacy policy sits at the intersection of UK privacy and electronic communications laws. The main legal frameworks are:

• UK GDPR: Sets out core data protection principles (lawful basis, transparency, data minimisation, security, data subject rights, accountability).
• Data Protection Act 2018: Supplements UK GDPR and creates the UK’s enforcement regime via the ICO (Information Commissioner’s Office).
• PECR (Privacy and Electronic Communications Regulations): Covers electronic marketing and the use of cookies and similar technologies.

What this means for your business:

• You must have a lawful basis (like consent or legitimate interests) for processing personal data.
• You must be transparent and provide clear, accessible information in your privacy policy.
• For most non-essential cookies, you need prior consent, not just notice.
• Individuals have rights (access, deletion, correction, objection, etc.) – you need to explain how they can exercise them and how you’ll respond.
• You must take appropriate technical and organisational measures to keep personal data secure.

If you rely on other businesses to process data (for example, your email marketing platform, web host or CRM), you’ll need a contract with them that meets UK GDPR requirements. This is typically a Data Processing Agreement.

What To Include In A UK Website Privacy Policy

Your policy should reflect what actually happens in your business. Avoid generic templates that don’t match your data flows – regulators look for consistency between your privacy notice and your day-to-day practices. At a minimum, cover:

1) Who You Are And How To Contact You

• Your legal name, trading name and contact details
• Data protection contact or DPO (if you have one)
• Who your policy applies to (site visitors, customers, account holders, etc.)

2) What Data You Collect

• Data you collect directly (e.g. names, emails, addresses, payment data via your provider)
• Data collected automatically (e.g. device IDs, IPs, usage data, cookies)
• Data from third parties (e.g. social logins, ad platforms, identity verification services)

3) Why You Collect It (Purposes) And Your Lawful Bases

• Contract: to provide your services or deliver orders
• Legal obligation: tax, fraud prevention, record-keeping
• Legitimate interests: site security, product improvement, non-intrusive analytics
• Consent: marketing emails, non-essential cookies, certain profiling

Be specific and tie each purpose to a lawful basis. If you rely on legitimate interests, identify the interest and note how you balance it with individual rights.

4) Cookies And Tracking Technologies

• Explain cookie categories (strictly necessary, analytics, advertising, functionality)
• Make clear that non-essential cookies only run with consent
• Link to your separate Cookie Policy and your consent preferences centre

5) Who You Share Data With

• Service providers acting as processors (hosting, analytics, payment processors, email tools)
• Third parties you share with as independent controllers (delivery partners, accountants, insurers)
• Legal and compliance disclosures (e.g. to authorities when required)

Identify categories rather than listing every vendor, but don’t be vague – people should understand the types of recipients and reasons for sharing.

6) International Transfers

If any personal data will be transferred outside the UK (for example, to US-based SaaS tools), say how you safeguard it – for instance using the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, plus transfer risk assessments where required.

7) How Long You Keep Data

Set out retention periods or the criteria you use to determine them (e.g. “we keep customer records for six years for tax purposes”). Retention should be justifiable and aligned to your data deletion practices.

8) Security Measures

Summarise the technical and organisational steps you take to protect personal data (access controls, encryption in transit/at rest, staff training, backups). Don’t reveal sensitive details, but show you take security seriously.

9) Individual Rights

Explain the rights available under UK GDPR (access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent). Include how people can make a request and how quickly you’ll respond.

10) Marketing Preferences

Clarify how you obtain consent (where required), how people can opt out, and how you handle soft opt-in where permitted under PECR. If you use profiling or lookalike audiences, be upfront about it and how users can object or opt out.

11) Children’s Data (If Applicable)

If your site is directed at children or you knowingly collect children’s data, include age-appropriate disclosures and extra steps you take to protect it.

12) How To Complain

Provide your complaint route and the right to complain to the ICO, with a link to their website.

Cookies, Consent And Your Cookie Policy

Cookies are a big part of website compliance. Under PECR, you must obtain informed consent before setting non-essential cookies (analytics, advertising, social media) on a user’s device.

In practice, that means:

• A clear cookie banner shown on first visit, before non-essential cookies load
• Equal prominence of “Accept” and “Reject” for non-essential cookies
• Granular choices by category, plus a way to change preferences later
• A separate, detailed Cookie Policy listing cookies, purposes and lifespans

Dark patterns (nudging users into “accept”) and “consent” that’s bundled with terms will fall short. Your consent should be freely given, specific, informed and unambiguous.

If you use analytics, consider server-side or privacy-friendly modes where feasible, and document your legitimate interests assessment if you rely on LI instead of consent (note: for most third-party analytics, consent is generally safest).

It’s also best practice to make your banner and preferences tool accessible, fast and consistent across devices. If you’re revisiting your setup, this is a good time to refresh your Cookie Policy and make sure your cookie banners match what actually happens on the site. Many businesses also publish a stand-alone Cookie Policy alongside their main privacy notice.

How To Create Or Update Your Website Privacy Policy

Here’s a pragmatic approach that works for most UK SMEs.

Step 1: Map Your Data

List the personal data you collect, why you collect it, where it’s stored, which systems and vendors are involved, and who has access. Include your public site, customer portals, mobile apps and back-office processes that touch website-collected data (e.g. pushing leads into your CRM).

Step 2: Identify Your Legal Bases And Risks

For each processing activity, set a lawful basis and record any special category or children’s data. Note PECR requirements for cookies, and whether consent is needed for marketing. This is where you decide which cookies need prior consent.

Step 3: Get Your Contracts In Order

Put appropriate processor terms in place with vendors that handle personal data on your behalf – for example, your hosting provider, emailing tools and analytics platforms. A tailored Data Processing Agreement helps ensure UK GDPR-compliant obligations are hardwired into those relationships. If you share data with another organisation as an independent controller, consider a Data Sharing Agreement that clarifies roles and responsibilities.

Step 4: Draft A Tailored, UK-Focused Policy

Align the policy to your mapped data and decisions. Keep the language plain. Avoid boilerplate that promises things you don’t do or misses things you actually do. If you operate in regulated sectors (e.g. health, finance), you may need additional disclosures.

Step 5: Implement Cookies And Consent Controls

Configure your CMP (consent management platform) so non-essential cookies only fire after consent, and users can easily change their choices. Make sure your banner, preferences and Cookie Policy line up with reality. Test on mobile and across common browsers.

Step 6: Publish, Train And Maintain

Publish the policy in your footer and key journeys (e.g. sign-up flows). Train your team so marketing and dev changes don’t accidentally undermine compliance. Review at least annually or whenever you add new tools, features or data uses.

Common Mistakes To Avoid

• Copy-pasting a template that doesn’t reflect your actual tools or practices
• Loading analytics or ads before consent is given (or after a “reject”)
• No easy way for users to change cookie preferences later
• Missing information on international transfers or vague “we may share with partners” wording
• Not aligning what you say with what your site actually does (regulators check!)
• Forgetting operational readiness – for example, lacking a process to handle data rights requests or breaches

Key Takeaways

• If your site collects personal data, you should publish a clear, UK-compliant website privacy policy – it’s required under transparency rules and builds trust.
• Your privacy policy should match your real data flows: what you collect, why, lawful bases, cookies, sharing, security, international transfers, retention and rights.
• PECR means you need informed, prior consent for most non-essential cookies; give users a genuine choice and a way to change preferences.
• Back your policy with the right contracts – for processors, use a robust Data Processing Agreement; for controller-to-controller sharing, use a Data Sharing Agreement.
• Prepare operationally: document SAR handling, retention and deletion practices, and have an incident playbook such as a Data Breach Response Plan.
• Keep your consent tools and Cookie Policy aligned with your actual cookies, and ensure your Website Terms and Conditions complement your privacy position.
• When in doubt, get tailored support – a UK-focused Privacy Policy and implementation help will save you time and reduce risk.

If you’d like help drafting or refreshing your website privacy policy, setting up compliant cookie consent, or reviewing your marketing practices against email marketing laws, our team can guide you end to end. Reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.