Website Privacy Policy: What To Include And Stay GDPR Compliant

If you run a small business, your website probably does more than just “sit there”. It captures leads, takes bookings, processes orders, runs analytics, and maybe even sends email marketing.

And the moment your website collects any personal data (even something as simple as an email address, cookie identifier, or an IP address), you need a clear, accurate privacy policy for your website that reflects what you actually do and helps you stay compliant.

The good news is you don’t need to turn into a privacy lawyer overnight. With the right approach, you can publish a website privacy policy that does what it should: inform people properly, build trust, and reduce your risk under the UK GDPR and the Data Protection Act 2018.

Do I Need A Privacy Policy For A Website In The UK?

In most cases, yes.

If your website collects, stores, uses, shares, or tracks information that can identify someone (directly or indirectly), you’ll generally need a privacy policy on your website (often called a “privacy notice” under the UK GDPR).

For most small businesses, that includes common things like:

• Contact forms (names, emails, phone numbers, message content)
• Newsletter sign-ups
• Customer accounts (logins, order history, addresses)
• Online purchases and payments (even if payments are handled by a third party)
• Bookings/appointments
• Analytics and tracking (often includes IP addresses, device IDs, cookie identifiers)
• Embedded tools like chat widgets, maps, video players, social media plug-ins

Under the UK GDPR, you must provide people with certain information about how you use their personal data. In practice, most businesses provide this through a website privacy policy page.

There are also other laws that often overlap with this topic, including rules around cookies and marketing communications. (More on that below.)

If your website is genuinely “brochure-only” and does not collect personal data (for example: no forms, no newsletter sign-up, no user accounts, no marketing pixels, and no non-essential cookies), the position can be different. However, in practice most websites still process some personal data in the background (for example, through hosting/server logs, security monitoring, embedded content, or analytics), so most businesses should assume they need a privacy policy and tailor it to their setup.

What Must A Website Privacy Policy Include?

A strong privacy policy for website use isn’t just a generic statement like “we respect your privacy”. In the UK, it needs to cover specific points so people understand what’s happening with their data.

Here’s what you should aim to include (in plain English).

1) Who You Are (And How To Contact You)

Your privacy policy should clearly identify:

• your legal business name (and trading name, if different)
• your business address (or at least a contact address)
• contact details (email is usually essential)

If you have a Data Protection Officer (most small businesses don’t), include their details too.

2) What Personal Data You Collect

Be specific and practical. A good way to do this is to list data categories such as:

• identity data (name, username)
• contact data (email, phone, address)
• transaction data (orders, payment confirmations from a payment provider)
• technical data (IP address, device info, browser type)
• marketing preferences (newsletter opt-in/opt-out)

If you collect anything more sensitive (for example, health information for a health/fitness service), you’ll need additional safeguards and extra clarity in your privacy policy.

3) How And Why You Use The Data (Your Purposes)

This is where you explain what you use the data for, such as:

• responding to enquiries
• providing quotes or proposals
• setting up customer accounts
• taking payment and fulfilling orders
• managing bookings and appointments
• customer service and handling complaints
• improving your website and services (analytics)
• sending marketing (where lawful)

Tip: try to write this in a way that matches how your business actually operates day-to-day. If your policy says you “don’t share data with third parties” but your website uses email marketing platforms, analytics tools, CRM systems, payment gateways, or chat widgets, that mismatch can create risk.

4) Your “Lawful Basis” For Processing (UK GDPR Requirement)

Under UK GDPR, you must have a lawful basis for using personal data, and you should tell users what that basis is.

Common lawful bases for small businesses include:

• Contract (e.g. you need their address to deliver an order)
• Legitimate interests (e.g. basic website analytics, fraud prevention, improving services)
• Consent (e.g. certain types of marketing or non-essential cookies)
• Legal obligation (e.g. record-keeping for tax/accounting rules)

This is one of the most overlooked sections in a company privacy policy. It’s also one of the easiest places to accidentally over-rely on “consent” when you don’t need it (or to claim “legitimate interests” without doing the proper balancing assessment).

5) Who You Share Data With (Third Parties And Processors)

Most businesses share personal data with third parties in some form. Examples include:

• website hosting providers
• cloud storage and email providers
• payment processors
• booking system providers
• analytics providers
• couriers and fulfilment partners
• professional advisers (accountants, lawyers, insurers)

Your privacy policy should describe the categories of recipients you share data with, and why.

If you also use internal policies to control staff access and reduce risk, that’s often worth aligning with an Acceptable Use Policy, especially where team members handle customer information.

6) International Transfers

If any of your suppliers/processors store data outside the UK, or allow access from outside the UK, you may be making an “international transfer”.

Your privacy policy should address whether personal data is transferred overseas and, if so, what safeguards apply (for example, adequacy regulations or appropriate contractual protections).

7) How Long You Keep Personal Data (Retention)

You don’t need to list a specific number of days for everything, but you should be transparent about retention in a meaningful way.

For example:

• enquiry data kept for X months to manage follow-ups and records
• customer order records kept for X years for accounting and warranty purposes
• marketing data kept until the person unsubscribes or after a period of inactivity

Under UK GDPR, you should not keep personal data longer than necessary for the purpose you collected it for.

8) People’s Rights Under UK GDPR

Your website privacy policy page should explain the rights individuals may have, such as:

• the right to access their data
• the right to rectification (correcting inaccurate data)
• the right to erasure (in some cases)
• the right to restrict processing
• the right to object (including to direct marketing)
• data portability (in some situations)
• the right to withdraw consent (where consent is used)

You should also tell people how to complain (usually to you first, and then to the Information Commissioner’s Office (ICO)).

9) Cookies And Tracking (Usually Needs A Separate Layer)

This is where many businesses get caught out.

Your privacy policy should explain that you use cookies/tracking, but for most websites you’ll also need a dedicated Cookie Policy and a compliant cookie consent mechanism (banner/settings) for non-essential cookies, in line with the UK’s ePrivacy rules (PECR).

In other words, a privacy policy is necessary, but it’s often not sufficient on its own if you’re running analytics, advertising pixels, or similar tracking.

How Do I Stay GDPR Compliant With My Website?

Publishing a privacy policy on your website is a great start, but compliance is bigger than the document.

Think of it like this: your privacy policy describes what you do. GDPR compliance is about making sure what you do is actually lawful, secure, and well-managed behind the scenes.

Step 1: Map What Data Your Website Collects

Before you draft or update your privacy policy, get clear on what’s happening across your website.

A quick checklist:

• What forms do you have (contact, lead magnets, bookings, checkout)?
• What fields are collected (and are they all necessary)?
• What integrations are connected (email marketing, CRM, payments, chat)?
• What cookies and tracking tools are in use?
• Where is the data stored (which systems)?
• Who in your team can access it?

This exercise usually reveals surprises - like an old plugin still collecting data, or marketing tags firing when they shouldn’t.

Step 2: Choose The Right Lawful Basis (And Don’t Default To Consent)

It’s common for small businesses to think “GDPR means consent for everything.” That’s not quite right.

For example:

• If a customer buys from your online shop, you can use their address to deliver the item because it’s necessary for the contract.
• If someone fills in a “contact us” form, you can reply because it’s in your legitimate interests (and also what they reasonably expect).
• If you want to send ongoing marketing emails, you’ll often need consent (or another lawful route depending on the circumstances).

The lawful basis you choose affects what you say in your privacy policy and what controls you need in your business processes.

Step 3: Make Cookies And Consent Work Properly

If your website uses non-essential cookies (analytics, advertising, tracking), you generally need to:

• tell users what cookies are used and why
• get consent before placing non-essential cookies
• let users change their preferences easily

That’s why a Cookie Policy and a well-configured cookie banner matter so much for a privacy policy website setup.

Step 4: Put The Right Contracts In Place With Suppliers

If you use third-party providers who process personal data on your behalf (for example, email marketing tools, hosting providers, CRMs), you may need a compliant data processing arrangement.

Many providers supply their own data processing terms, but you still need to ensure the overall arrangement is GDPR-compliant and matches what your privacy policy says. This often ties into broader privacy compliance work like a Data Protection Pack or a tailored compliance uplift as your business grows.

Step 5: Secure The Data (Practical Security Still Counts)

GDPR doesn’t demand “perfect” security, but it does require appropriate technical and organisational measures.

For a typical small business website, this can include:

• SSL/HTTPS enabled
• strong admin passwords and multi-factor authentication
• limited admin access (only those who need it)
• keeping plugins and software updated
• secure handling of form submissions (and not emailing sensitive data in plain text)
• regular backups

If you’re storing customer data in cloud drives or shared folders, it’s also worth checking whether your setup is actually compliant in practice (permissions, access logs, retention, sharing links, etc.).

Step 6: Align Your Other Website Legals

Your privacy policy shouldn’t live in isolation.

If you sell online or take bookings, your customers should also be able to find clear website terms. For example, your checkout and customer journeys often rely on Website Terms And Conditions to set expectations around payment, cancellations, delivery, and limitations of liability.

And if your website includes subscriptions or recurring billing, it’s especially important that your consumer-facing terms and privacy disclosures don’t contradict each other.

If you want a broader compliance baseline (and not just a document), many businesses choose to implement a structured GDPR approach like a GDPR package so the paperwork and the actual processes match.

Common Mistakes With A Privacy Policy On A Website (And How To Avoid Them)

A website privacy policy can fail in two ways: it can be missing entirely, or it can exist but be inaccurate.

Here are common issues we see for small businesses.

Using A Generic Template That Doesn’t Match Your Website

Templates can look convenient, but they often don’t reflect what your website actually does - especially if you use multiple plugins, tracking tools, and third-party services.

If your privacy policy claims:

• you don’t use cookies (but you run analytics), or
• you don’t share data (but you use a booking system), or
• you don’t do marketing (but you have automated email flows)

…then it’s not really protecting you. It’s just creating risk.

Burying The Privacy Policy Where No One Can Find It

A privacy policy page should be easy to access. Most businesses include it in the website footer, and also link it at relevant collection points (like forms, checkout pages, and newsletter sign-ups).

If you collect personal data through multiple channels, it’s worth making sure the privacy policy is consistently linked in all the right places.

Not Covering Cookies Properly

Many website owners mention cookies in one sentence and assume that’s enough.

In practice, cookies compliance usually needs:

• a cookie banner that functions correctly (including reject/non-essential controls)
• a cookie policy that lists cookies and purposes in a clear way
• proper configuration so non-essential cookies don’t fire before consent

Collecting Too Much Data “Just In Case”

If your form asks for too much information (for example, full address and date of birth for a simple enquiry), you may struggle to justify why you need it.

Data minimisation is a key GDPR principle: only collect what you need for the purpose.

Forgetting About Marketing Rules

Your privacy policy should explain marketing clearly, including how people can opt out.

But you’ll also want to make sure your actual marketing practices (email/SMS) follow the relevant rules. This includes being careful about when consent is needed and how you record it.

Not Having A Plan If Something Goes Wrong

Even with great processes, issues can happen (lost devices, compromised passwords, emails sent to the wrong person, malicious attacks).

Having a response plan helps you move quickly and reduce damage. That’s one reason businesses build a broader privacy compliance framework rather than relying on a single company privacy policy document.

Key Takeaways

• A privacy policy for your website is usually essential in the UK if your website collects, uses, or tracks personal data (which most business websites do in some form).
• A compliant website privacy policy should clearly explain what data you collect, why you collect it, your lawful bases under UK GDPR, who you share data with, retention, international transfers, and people’s rights.
• Cookie compliance is often a separate (but linked) requirement - your privacy policy should reference cookies, but a dedicated cookie policy and a properly configured cookie banner may also be needed under PECR.
• The biggest risk is having a privacy policy that doesn’t match reality, especially if you use third-party tools like analytics, marketing platforms, booking systems, or payment providers.
• GDPR compliance is more than a document - it’s also about security, internal processes, supplier arrangements, and making sure your website terms and customer communications are consistent.

If you’d like help putting the right Privacy Policy in place (and making sure it matches your website, data flows, and business model), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.