Do I Need a Privacy Policy for My Business Website?

The Accounted Business Team·2 March 2026·8 min read

You've built your website, written your about page, added some testimonials, and you're ready to go live. But then someone mentions you need a privacy policy. Is that really necessary? You're just a sole trader with a simple five-page website — surely privacy policies are only for the big companies?

The short answer is: yes, you almost certainly need one. If your website collects any personal data at all — and it almost certainly does — UK law requires you to tell visitors what you're doing with their information. Let's break down exactly what that means, what you need to include, and how to put one together without spending a fortune on a solicitor.

Why You Need a Privacy Policy

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, any organisation that processes personal data must be transparent about how it collects, uses, stores, and shares that data. A privacy policy is the primary way you fulfil that transparency obligation on your website.

But here's the thing that catches many sole traders off guard: "personal data" is defined very broadly. It includes any information that can identify a living person, either directly or indirectly. That means:

Contact forms — if someone types their name and email address into a form on your site, that's personal data.
Analytics — if you use Google Analytics, Hotjar, or any similar tool, you're collecting data about visitors' behaviour, IP addresses, and device information.
Cookies — most websites use cookies, and many of these track user activity.
Email sign-ups — if you have a newsletter or mailing list, you're collecting and storing personal data.
Enquiry emails — even if visitors just email you directly via a mailto link, you're receiving personal data.

If any of these apply to you — and for the vast majority of business websites, at least one will — you need a privacy policy.

What Happens If You Don't Have One?

Failing to provide a privacy policy when you're processing personal data is a breach of UK GDPR. The Information Commissioner's Office (ICO) can take enforcement action, which could include fines. While the ICO tends to take a proportionate approach with small businesses, a missing privacy policy is one of the more straightforward things for them to spot and act on.

Beyond the legal risk, not having a privacy policy looks unprofessional. Savvy customers and clients increasingly check for one, and its absence can undermine trust. If you're looking for a broader overview of your data protection obligations, our guide on GDPR for sole traders covers the fundamentals.

What to Include in Your Privacy Policy

Your privacy policy doesn't need to be a 20-page legal document. It needs to be clear, honest, and written in plain language that your visitors can actually understand. Here's what to cover.

Your Identity and Contact Details

Start with who you are. Include your business name, your role (e.g., sole trader), and how people can contact you with questions about their data. If you've registered with the ICO, include your registration number.

For example:

This website is operated by [Your Name], trading as [Your Business Name]. You can contact me at [email address] with any questions about how your data is handled.

What Data You Collect

Be specific about the types of personal data you collect. Common categories for small business websites include:

Names and email addresses (from contact forms or mailing lists)
Phone numbers (if you ask for them)
IP addresses and browsing data (from analytics tools)
Cookie data
Payment information (if you sell online, though this is often handled by a third-party processor)

You don't need to list every individual data point, but you should give visitors a clear picture of what you're gathering.

Why You Collect It (Your Lawful Basis)

Under UK GDPR, you need a lawful basis for processing personal data. For most sole traders, the relevant ones are:

Consent — the person has given you clear permission (e.g., ticking a box to subscribe to your newsletter).
Contractual necessity — you need the data to fulfil a contract or take steps at someone's request before entering a contract (e.g., responding to a quote request).
Legitimate interests — you have a genuine business reason for processing the data that doesn't override the individual's rights (e.g., using analytics to improve your website).

State clearly which lawful basis applies to each type of data processing.

Who You Share Data With

If you share personal data with third parties, you need to say so. Common examples for small businesses include:

Email marketing platforms (Mailchimp, ConvertKit, etc.)
Analytics providers (Google Analytics)
Payment processors (Stripe, PayPal)
Hosting providers (your web host will have some access to server logs)
Accounting software (if client data flows into your financial tools)

You don't necessarily need to name every provider, but you should explain the categories of recipients and why data is shared with them.

How Long You Keep Data

You can't keep personal data indefinitely — UK GDPR's storage limitation principle says you should only keep it as long as you have a genuine need. Be clear about your retention periods. For example:

Contact form enquiries: deleted after 12 months if no ongoing relationship
Mailing list subscribers: kept until they unsubscribe
Financial records: retained for six years in line with HMRC requirements
Analytics data: retained according to the platform's default settings

People's Rights

Under UK GDPR, individuals have several rights regarding their personal data, and your privacy policy must tell them about these. The key rights are:

The right to access their data (Subject Access Request)
The right to have their data corrected
The right to have their data deleted (the "right to be forgotten")
The right to restrict or object to processing
The right to data portability
The right to withdraw consent

You should explain how people can exercise these rights — usually by contacting you via email.

How to Complain

You must tell visitors that they have the right to complain to the ICO if they're unhappy with how you've handled their data. Include the ICO's website address and contact details.

Cookies and the Cookie Consent Question

Cookies deserve special attention because they're governed by both UK GDPR and the Privacy and Electronic Communications Regulations (PECR). If your website uses cookies — and most do — you need to:

Tell visitors what cookies you use and why — this is usually done in your privacy policy or a separate cookie policy.
Get consent for non-essential cookies — essential cookies (those strictly necessary for the website to function) don't require consent. But analytics cookies, advertising cookies, and social media tracking cookies do.

This is why so many websites have those cookie consent banners. If you're using Google Analytics or any form of tracking, you need one too. There are free and low-cost tools like CookieYes, Osano, and Complianz that can help you implement this.

A Common Mistake

Many small business websites have a cookie banner that says something like "By continuing to use this site, you accept cookies." That's not valid consent under UK law. Consent needs to be active — visitors must take a positive action (like clicking "Accept") to agree to non-essential cookies. Simply continuing to browse isn't enough.

How to Write Your Privacy Policy

You've got a few options here, depending on your budget and comfort level.

Option 1: Use a Template or Generator

There are plenty of free and paid privacy policy generators online. The ICO itself doesn't provide a template, but organisations like the Federation of Small Businesses and various legal technology companies offer them. These can be a good starting point, but make sure you customise the output to reflect what your website actually does — a generic, unchanged template won't be accurate enough.

Option 2: Write It Yourself

If you're comfortable writing clearly and you understand what data your website collects, you can write your own. Use plain English, be specific, and cover all the points listed above. It doesn't need to sound like it was written by a solicitor — in fact, UK GDPR explicitly requires that privacy information be provided in "clear and plain language."

Option 3: Get Professional Help

If your website handles sensitive data (health information, financial details, children's data) or you process data at scale, it's worth getting a solicitor or data protection consultant to review or draft your policy. For most sole traders with straightforward websites, this isn't strictly necessary, but it provides peace of mind.

Where to Put Your Privacy Policy

Your privacy policy should be easy to find. Standard practice is to:

Include a link in your website footer on every page
Link to it from any forms that collect personal data (contact forms, sign-up forms)
Reference it in your cookie consent banner
If you have terms and conditions, cross-reference between the two documents

Don't bury it three clicks deep in a submenu. The whole point is transparency, and that means making the information readily accessible.

Keeping Your Privacy Policy Up to Date

A privacy policy isn't a "write it once and forget it" document. You should review and update it whenever:

You start collecting new types of data
You add new third-party tools or services to your website
You change how you use or store data
The law changes

It's good practice to include a "last updated" date at the top of your privacy policy so visitors can see how current it is.

Using a tool like Accounted for your bookkeeping means your financial data is handled securely with clear data protection practices already in place — one less thing to worry about when you're writing up how your business manages personal information.

Don't Overthink It

A privacy policy might sound intimidating, but for most sole traders, it's a fairly straightforward document. Be honest about what data you collect, explain why you collect it, and tell people what you do with it. That's the essence of it.

The important thing is to have one, keep it accurate, and make it easy to find. It protects both your visitors and your business, and it demonstrates the kind of professionalism that builds trust with potential clients.

Accounted helps UK sole traders stay on top of their bookkeeping and tax. Start your free 30-day trial at getaccounted.co.uk

Related reading:

More on Legal

Legal