If you have a website in the UK and you collect any information about visitors — even just their email address — you are legally required to have a Privacy Policy. This is not optional. It comes from UK GDPR, which has been in force since January 2021 when the UK took on its own version of the EU regulation after Brexit.
The short answer to "does my website need one" is almost certainly yes. The longer answer involves understanding what counts as personal data, who is exempt, and what your policy needs to actually say.
What counts as collecting personal data?
Personal data is any information that can identify a living person, directly or indirectly. This includes obvious things like names and email addresses, but it also includes:
- IP addresses (these are considered personal data under UK GDPR)
- Cookie identifiers that are linked to a person
- Location data
- Any form submission — contact form, newsletter signup, checkout
Most websites collect at least IP addresses through their server logs, and virtually all have some form of contact. So the threshold is low.
Practical rule: If your website has a contact form, a newsletter signup, a checkout, or even just Google Analytics — you collect personal data and you need a Privacy Policy.
Who is exempt?
The only meaningful exemption is for purely personal or household use — a family blog, a personal diary. The moment your website has any commercial purpose or audience beyond your own household, the exemption does not apply.
Small business owners sometimes assume that being a sole trader or a one-person company means the rules do not apply. That is wrong. The ICO (Information Commissioner's Office) has investigated sole traders and issued enforcement notices to small businesses. Size is not a defence.
What happens without one?
In practice, the ICO rarely proactively searches for websites without Privacy Policies. Most enforcement action starts with a complaint. A customer disputes how their data was used, contacts the ICO, and an investigation begins.
The real risk: A customer who feels their data was mishandled can file a complaint with the ICO at no cost to themselves. If the ICO finds you had no Privacy Policy, it can issue a formal warning, an enforcement notice, or in serious cases, a fine. The ICO fined a UK company £130,000 in 2023 partly because of inadequate transparency about data processing.
Beyond ICO enforcement, the absence of a Privacy Policy also creates practical commercial problems. Payment processors, B2B partners, and app stores routinely ask for a link to your Privacy Policy before they will work with you. Without one, you may find integrations blocked or accounts suspended.
What must your Privacy Policy say?
UK GDPR Article 13 sets out the required content. You need to explain:
- Who you are and how to contact you (and your Data Protection Officer if you have one)
- What data you collect and why you collect it
- The legal basis for processing (consent, contract, legitimate interests, etc.)
- How long you keep data
- Who you share data with
- Whether data is transferred outside the UK and what safeguards apply
- What rights users have — access, deletion, correction, objection
- How to make a complaint to the ICO
We cover the full Article 13 checklist in more detail in our guide: What your Privacy Policy must actually say (UK GDPR checklist).
Plain English matters
UK GDPR requires that information be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language." The ICO takes this seriously. A Privacy Policy that is technically complete but written in dense legal language that a normal person cannot understand is still non-compliant.
This is also good business practice. Users who understand what you do with their data are more likely to trust you with it.
Cookie Policy: not the same thing
A Privacy Policy and a Cookie Policy are two separate documents. The Privacy Policy covers data processing broadly. The Cookie Policy specifically addresses cookies and similar tracking technologies under PECR (Privacy and Electronic Communications Regulations). Most websites need both. See our guide on what PECR actually requires for cookie consent.
The bottom line: If your website is used for any commercial purpose and collects any data from visitors, you need a Privacy Policy. The cost of not having one is much higher than the cost of getting it done.