If your website has a contact form, uses Google Analytics, or runs any kind of tracking, it is collecting information about visitors. That means you almost certainly need a privacy policy. Many small business owners either do not have one, or have one they copied from somewhere years ago and have not looked at since.
This is not just a legal formality. Visitors notice when a site has no privacy policy, and it affects whether they trust you enough to get in touch. Here is what you need to know.
Why a privacy policy is required, not optional
Data protection laws in most countries require businesses to tell website visitors what information is being collected, how it is used, and how long it is kept. In the UK and Europe, this is covered by data protection law. In the United States, several states have their own requirements, and if you have any visitors from outside the US, those laws may apply too.
Beyond the legal requirement, platforms you rely on often require it too. Google Analytics requires that you have a privacy policy in place if you use it on your site. If you advertise through Google or use Facebook tools, the same applies.
What a privacy policy needs to cover
The specifics depend on what your site collects, but for a typical small business website the essentials are straightforward.
- What you collect: Names, email addresses, phone numbers from contact forms. Data collected automatically through analytics tools, such as which pages were visited and what device was used.
- Why you collect it: To respond to enquiries, to understand how people use the site, to send marketing emails if you have a mailing list.
- Who else sees it: If you use a third-party email tool, a booking system, or analytics software, those providers receive some of the data too. Name them.
- How long you keep it: A general statement is fine, such as retaining contact form submissions for two years.
- How someone can ask you to delete their data: An email address for data requests is enough for most small businesses.
Where it needs to appear on your site
The privacy policy should be reachable from every page. The standard place is a link in the footer. If you have a contact form or a sign-up form anywhere on your site, there should also be a link to the privacy policy near that form, so visitors can read it before submitting their details.
It does not need to be long or written in legal language. A plain English policy that covers the points above is more useful to visitors and satisfies the requirement more effectively than a dense document nobody reads.
A simple way to get started
If you do not have a privacy policy yet, there are free generators online that ask you questions about your site and produce a basic policy you can adapt. Search for "privacy policy generator" and look for one that covers your country's requirements. Read through what it produces and adjust it to reflect what your site actually does before publishing it.
Once it is in place, review it whenever you add a new tool to your site, such as a booking system, live chat, or email marketing platform.
If you want to see how your site currently looks from a trust and compliance perspective, a free scan can show you what visitors and search engines see.
See how your website scores on trust and best practices
Run a free scan and get a plain English report covering trust signals, SEO, performance, and more. Instant, no sign-up needed.
Scan my page for free →