If you run a small business with a website — whether it is an online shop, a consulting firm, a SaaS product, or a simple portfolio with a contact form — you almost certainly need a privacy policy. Not just because it is good practice, but because the law requires it in most countries.

The problem? Privacy policies are confusing. They are full of legal jargon, and the rules vary depending on where your customers are. This guide cuts through the complexity and tells you exactly what your small business privacy policy needs to include.

Do Small Businesses Actually Need a Privacy Policy?

Yes. If your website collects any personal data at all — and it almost certainly does — you need a privacy policy. Here is what counts as “collecting personal data”:

A contact form that asks for name or email
An email newsletter signup
Google Analytics or any tracking script
Cookies (including third-party ones from ads or social media)
An online checkout that collects billing information
User accounts with login credentials
A live chat widget

Even if you do not explicitly ask for personal data, analytics tools like Google Analytics collect IP addresses, device information, and browsing behaviour. That counts.

Which Privacy Laws Apply to Your Business?

Privacy laws are not based on where your business is located — they are based on where your users are. If someone in the EU visits your website, GDPR applies to that interaction, even if your business is in Texas.

GDPR (EU & UK)

The General Data Protection Regulation applies if you have any visitors from EU or UK countries. It requires explicit consent for data collection, the right to access and delete personal data, and clear disclosure of how data is used. Fines can reach 4% of global annual turnover or €20 million.

CCPA / CPRA (California)

The California Consumer Privacy Act (and its amendment, CPRA) applies if you have California customers and meet certain thresholds (annual revenue over $25 million, data on 100,000+ consumers, or 50%+ revenue from selling personal data). Even if you do not meet these thresholds, compliance is good practice.

PIPEDA (Canada)

Canada’s Personal Information Protection and Electronic Documents Act requires businesses to obtain consent for collecting, using, and disclosing personal information.

Other Laws

Over 120 countries now have data protection laws, including Brazil’s LGPD, South Africa’s POPIA, and Australia’s Privacy Act. If you serve an international audience, your policy should cover the strictest regulations.

What to Include in Your Privacy Policy

Regardless of which specific laws apply, every good privacy policy should cover these sections:

1. What Data You Collect

Be specific. List the types of personal data you collect: names, email addresses, IP addresses, payment information, browsing behaviour, device information, etc.

2. How You Collect It

Explain whether data is collected directly (forms, account registration) or automatically (cookies, analytics, server logs).

3. Why You Collect It

State the purpose for each type of data. Common purposes include: providing your service, processing payments, sending marketing emails, improving your website, and complying with legal obligations.

4. Third Parties You Share Data With

List all third-party services that receive user data. This includes payment processors (Stripe, PayPal), analytics (Google Analytics), email services (Mailchimp), hosting providers, and advertising platforms.

5. User Rights

Under GDPR, users have the right to access, correct, delete, and port their data. Under CCPA, they have the right to know what data is collected and to opt out of its sale. Your policy must explain these rights and how to exercise them.

6. Data Retention

Explain how long you keep personal data and when it is deleted. Be specific: “We retain account data for 2 years after account deletion” is better than “We keep data as long as necessary.”

7. Security Measures

Briefly describe how you protect personal data: encryption (HTTPS, database encryption), access controls, regular security audits, etc.

8. Cookie Policy

If you use cookies, explain what types (essential, analytics, marketing), what they do, and how users can manage their preferences. Many businesses create a separate Cookie Policy page for this.

9. Contact Information

Provide a way for users to contact you about privacy concerns: an email address, postal address, or contact form. If you have a Data Protection Officer, list their details.

Common Mistakes to Avoid

Copy-pasting from another website. Their policy is for their business, not yours. It likely references services you do not use and misses ones you do.
Using vague language. “We may share data with third parties” is not good enough. Name the third parties.
Not updating it. If you add a new analytics tool or payment processor, update your policy.
Hiding it. Your privacy policy should be linked from every page (usually the footer) and easily accessible.
Forgetting about cookies. If you use any third-party scripts, you probably set cookies. Disclose them.

How to Create Your Privacy Policy

You have three main options:

1. Hire a lawyer — The gold standard, but typically costs £500–£2,000+ for a small business. Makes sense if you handle sensitive data (health, financial) or operate in heavily regulated industries.

2. Use a template — Free, but risky. Generic templates are not tailored to your business and may miss key requirements for your specific situation.

3. Use an AI generator — A middle ground between cost and customisation. Tools like LegalForge ask about your specific business and generate a tailored policy that covers the relevant regulations. Typically costs £10–£25.

The Bottom Line

Every small business website needs a privacy policy. The good news is that creating one does not have to be expensive or time-consuming. The key is making sure it accurately reflects your data practices and covers the regulations relevant to your audience.

If you are not sure where to start, LegalForge can generate a tailored privacy policy for your business in 60 seconds. Answer a short questionnaire about your business, and get a Privacy Policy, Terms of Service, and Cookie Policy — all for a one-time £19 payment.

Privacy Policy for Small Business: What You Need in 2026