mybitness Blog

Does Your Small Business Website Need a Privacy Policy? (UK Law, Plainly Explained)

Published 16 March 2027 · By Paul

Privacy policies are one of those things that feel bureaucratic and optional until they’re not. Under UK data protection law, if your website collects any personal information from visitors — even just an email address through a contact form — you are legally required to have a privacy policy.

This isn’t a technicality that only applies to large businesses. It applies to sole traders, small firms, and anyone with a website that has a contact form.

What counts as collecting personal data

Personal data is any information that can identify a person: names, email addresses, phone numbers, IP addresses, location data. Your website collects personal data if it has:

  • A contact form (name, email, phone)
  • An email newsletter signup
  • A booking form
  • Google Analytics or any other analytics tool (these collect IP addresses and behavioural data)
  • A live chat widget
  • Cookies that track visitor behaviour

This covers virtually every business website. If your site has a contact form and Google Analytics, you are collecting personal data and you need a privacy policy.

What the law says (in plain English)

The UK GDPR and the Data Protection Act 2018 require you to:

  1. Tell people what data you collect about them
  2. Explain why you collect it
  3. Explain what you do with it (who sees it, how long you keep it)
  4. Tell them about their rights (to see, correct, or delete their data)
  5. Tell them how to contact you about data concerns

This information goes in your privacy policy. The policy must be:

  • Easy to find (linked in your footer on every page)
  • Written in plain language (not impenetrable legal jargon)
  • Accurate (it actually describes what you do)

The ICO registration requirement

If your business processes personal data, you are likely required to register with the ICO (Information Commissioner’s Office) and pay an annual registration fee. For most small businesses, this is £52 per year (Tier 1).

There are exemptions — notably for businesses that process data only for purposes like staff administration and accounts — but if you have a contact form that sends you customer enquiries, you almost certainly need to register.

Failing to register is a criminal offence. The ICO does investigate complaints and can issue fines. For small businesses, the realistic risk is more about customer trust than regulatory action — but the fee is small enough that it’s not worth the exposure.

Register at: ico.org.uk/registration/

What your privacy policy needs to say

For a typical small business website with a contact form and Google Analytics, your privacy policy should cover:

What data you collect:

  • Contact form submissions (name, email, phone, message)
  • Automatically collected data via Google Analytics (IP addresses, browser type, pages visited)

Why you collect it:

  • To respond to enquiries
  • To understand how the website is used and improve it

How long you keep it:

  • Contact form submissions: until the enquiry is resolved, or 12 months (whichever is sooner)
  • Analytics data: governed by Google’s retention settings (typically 14 months)

Who it’s shared with:

  • Your email provider (receives the contact form data)
  • Google (analytics data)
  • Any other tools you use (booking systems, CRM, etc.)

Visitor rights:

  • Right to access their data
  • Right to correct inaccurate data
  • Right to have their data deleted
  • Right to complain to the ICO

Contact information:

  • Your name and business address, or a contact email for data queries

If your website uses cookies — and virtually every site with Google Analytics does — you also need a cookie banner that:

  • Informs visitors that cookies are used
  • Allows them to accept or decline non-essential cookies
  • Links to your privacy policy

This doesn’t need to be complex. A simple banner stating “We use cookies to understand how our website is used. By continuing, you accept our [Privacy Policy]” with an Accept button and a link is sufficient for a simple small business site.

At mybitness, every website we build includes a privacy policy template tailored to the site’s data practices, a cookie banner, and GDPR consent checkboxes on all contact forms.

Get a free review of your current site’s compliance →

Ready to stop losing customers to a better website?

Get a free, honest review of your current website in 15 minutes.

Get My Free Website Review →