Sole traders and website legal documents: what the law actually requires

There is a widespread belief among sole traders that data protection law, consumer regulations, and the various other legal requirements that come with running a business online do not really apply to them. That they are for "proper companies" - the ones with legal teams and offices and registered addresses. This belief is wrong, and it can be expensive to find that out the hard way.

Being a sole trader affects some things - your liability is personal rather than corporate, you register differently with HMRC, the Companies Act does not apply to you. But it does not create a parallel, lighter-touch regulatory regime for data protection or consumer law. The relevant question is whether you process personal data and whether you sell to consumers. If the answer to either is yes, the full legal framework applies.

UK GDPR: yes, it applies to you

UK GDPR applies to any "controller" - any person or organisation that determines the purposes and means of processing personal data. A sole trader who has a contact form on their website, sends invoices by email, or maintains a client list is a controller. The ICO has been clear that the size of the organisation is irrelevant to whether the obligations apply.

What this means practically: you need a Privacy Policy that tells people what you do with their data, why, and for how long. You need to have a legal basis for the processing you carry out. You need to be able to respond to Subject Access Requests within one month. You need to have some kind of data breach procedure - not a full incident response team, but at least knowing that you would need to report a breach meeting the threshold to the ICO within 72 hours.

The ICO does investigate sole traders. Most enforcement starts with a complaint from a customer or client, and the fact that you are a one-person operation is not a mitigating factor that prevents the investigation proceeding. It might be considered when deciding the level of any penalty, but the ICO has issued enforcement notices to small businesses including sole traders.

What your website must display

Several pieces of legislation require specific information to appear on a business website. For sole traders, the main ones are:

The Companies Act 2006 does not apply to sole traders (that is for companies), but the Business Names Act 1985 does if you trade under a name other than your own. If you are "Sarah Jones" trading as "SJ Consulting," you must display your real name and a UK address where documents can be served - on your website, on letters and emails, and in any business premises. Many sole traders get this wrong by only displaying their trading name.

The Electronic Commerce (EC Directive) Regulations 2002 require any "information society service" - essentially any business conducting business online - to clearly display the service provider's name, geographic address (not just a PO box), email address, and VAT number if applicable. These regulations predate Brexit but were retained in UK law and remain in force.

If you are VAT-registered, your VAT number must appear on invoices and technically on your website if you are selling goods or services online. If you are not VAT-registered (under the £90,000 threshold as of 2026), this does not apply.

Distance selling and the Consumer Contracts Regulations

If you sell anything to consumers online - whether physical products, services, or digital content - the Consumer Contracts Regulations 2013 apply to you regardless of whether you are a sole trader or a company. These regulations give consumers a 14-day right to cancel most purchases made at a distance, and you are required to tell them about that right before they buy.

For services, if a consumer asks you to start work within the 14-day cooling off period and you begin, they can still cancel but must pay for what has been delivered. Protecting yourself here requires an explicit written request from the client to start early and an acknowledgment that they are giving up part of their cancellation right. A simple email exchange documenting this before you start work is sufficient, but it needs to happen.

Sole traders providing services often think the regulations only apply to shops selling physical goods. They do not. A freelance web developer, a personal trainer with an online booking system, or a consultant selling packages through their website is all subject to the same framework.

Terms and Conditions: required or recommended?

There is no specific law that says every sole trader must have Terms and Conditions on their website. But in practice, operating without them creates real risk. Without written terms, the contract with your clients is whatever was agreed verbally or by email - which is often ambiguous about payment terms, cancellation, what happens if a project runs over, or who owns the intellectual property in work you produce.

A simple set of terms of service that covers your payment terms, cancellation policy, what is included and excluded in your service, and IP ownership is genuinely useful even if legally it is not mandated. The Consumer Rights Act will still apply and override anything unfair, but a clear contract reduces disputes rather than resolves them after they start.

For more on what T&Cs can and cannot do for you under UK law, see how Terms and Conditions actually protect your business. For consumer-facing terms specifically, the Consumer Rights Act and your T&Cs guide covers the constraints in detail.

Cookies

Cookie law is another area where "I'm just a small business" provides no exemption. If your website uses cookies - and it almost certainly does if you have Google Analytics, any kind of advertising pixel, or certain contact form plugins - PECR applies. You need a cookie consent mechanism that allows users to accept or reject non-essential cookies before those cookies are set. You also need a Cookie Policy or at minimum a clear explanation of what cookies you use and why.

The ICO's enforcement priority on cookies has focused on larger sites first, but the rules apply universally. A sole trader who uses Google Analytics without a proper consent mechanism is technically non-compliant, and that non-compliance could be raised in an ICO complaint investigation even if it was not the original trigger.

A practical checklist for sole traders

Rather than a strict priority order, here is what you actually need to have in place:

A Privacy Policy that covers your UK GDPR obligations - who you are, what data you collect, why, how long you keep it, who you share it with, and what rights people have. For the full list of required contents, see UK website Privacy Policy requirements.

ICO registration if you process personal data (which you almost certainly do). The fee is £40/year for small organisations and the registration is straightforward through the ICO website.

Your full legal name and a UK service address displayed on your website. If you trade under a business name, both the business name and your real name must be visible.

A cookie consent mechanism if you use non-essential cookies. At minimum, this means users should be able to decline cookies before they are set, and that choice must be honoured.

A clear cancellation/returns policy if you sell to consumers, reflecting the statutory 14-day cooling off period. This can live in your T&Cs or as a standalone policy page.

None of this requires a lawyer. The regulations are written for businesses of all sizes, and the documents themselves do not need to be long. What they need to be is accurate about what you actually do. A short, honest Privacy Policy that correctly describes a simple business is better than a long, copied-from-elsewhere policy that does not match your actual practices.