Privacy Policy – have you checked yours …

Check Your Privacy Policy (and how to get one without tears)

You’d be surprised. We were. Three times in the last two weeks, we’ve seen sites with no Privacy Policy. All sites built for a lot more than Little Fire would have charged.

  • Got a contact form? You need a Privacy Policy.
  • Got analytics? You need a Privacy Policy.
  • Collecting any data at all about your visitors? You need a Privacy Policy.

It’s the law. Not just in the UK either. Websites are worldwide, it’s kind of the point. Anywhere where you collect data, whether you wish to or not, you need to comply with at least the spirit of their legislation. If that is not possible, you may need to localise your site so that functionality is limited in some regions.

By not having one, you are risking fines which will, most likely, finish you off.

The total value of UK GDPR fines issued for the 2023-2024 period is over £15.5 million – not a pie you want a slice of.

But My Website Builder Comes With a Privacy Policy

It‘s easily overlooked during the website build. But, honestly, have you read the “out-of-the-box” WordPress privacy policy? We’ve seen a good number of sites with the placeholder text [business_name] still present.

You might as well insert [large_fine].

We’ve seen plenty of Shopify sites just the same, the systems provide fair templates but without careful review, they are as good as useless.

Also, whatever the platform, Privacy Policy templates are generic. As are all the other policy documents provided by both. If you pay attention and colour in all the placeholders, you might be alright. But it doesn’t take much. Amongst our clients are Wine Merchants, Travel Companies and Tool Manufacturers – all of whom either collect more data than most e-commerce stores or have age restrictions on their products.

Either way, this needs to be reflected in their respective privacy policies.

UK GDPR + Data Protection Act 2018

If your website collects or uses any personal data (names, emails, cookies that identify users, etc.) you must tell people clearly what you’re doing with it. That obligation sits in the UK GDPR and the Data Protection Act 2018. In ICO’s words, organisations must provide privacy information so people are informed about how their data is used (the “right to be informed”). (ICO)

Your notice needs to cover things like who you are (the controller), why you’re processing the data, your lawful basis, who you share it with, retention periods, and people’s rights (access, deletion, etc.). The ICO’s guidance spells out these ingredients and emphasises writing in plain English so normal humans can actually understand it. (ICO)

Cookies (PECR still matters)

If you use non-essential cookies (analytics, advertising, personalisation), UK rules under PECR mean you need informed, prior consent – and you can’t bury that consent inside a dusty Privacy Policy link. Make consent easy to understand and easy to manage (think: a clear banner and preferences).

Not only that, but if you don’t manage the gathering of consent properly, both your Google ads and your Analytics will be limited. If you want to build a detailed picture of your users’ behaviour, you need their consent.

What if you’re outside the UK but serve UK users?

The UK GDPR can still apply to organisations based overseas if they offer goods or services to people in the UK or monitor their behaviour (for example, via profiling for ads). In other words: if you target UK users, expect UK rules to bite. (ICO)

The EU and the rest of the world

EU GDPR

If you target people in the EU (even from the UK), the EU GDPR’s transparency rules apply. Articles 13 and 14 set out, in detail, what must appear in your privacy information. The regulation also has extraterritorial reach – so UK businesses that market to EU users or monitor their behaviour must comply. (GDPR)

United States (California – CCPA/CPRA)

If you have meaningful California traffic or customers, the CCPA/CPRA framework expects a clearly linked Privacy Policy explaining consumer rights (access, deletion, opt-out of “sale or sharing”, etc.). (California Attorney General)

Australia (Privacy Act 1988)

Entities covered by the Privacy Act must have a Privacy Policy. If you do business there or process data about Australians under the Act, you’ll need a policy that meets the Australian Privacy Principles. (OAIC)

Canada (PIPEDA)

PIPEDA governs private-sector organisations across Canada collecting, using or disclosing personal information in the course of commercial activity. Again, transparency is expected—explain what you collect, why and how. (priv.gc.ca)

Your website crosses borders, your Privacy Policy – and your wider data practices – should account for multiple regimes.

Practical reasons (beyond “because the law says so”)

  • Trust = conversion. People hand over data when they feel informed and in control. Clear privacy information reduces form-abandonment jitters.
  • Fewer support tickets. If your policy answers “What do you do with my data?” you’ll field fewer repeated queries.
  • Smoother vendor onboarding. Larger B2B customers and marketplaces often review your privacy posture before they’ll integrate or partner.
  • Team clarity. Writing it forces you to map what you actually collect, why, where it goes and how long you keep it. That’s invaluable when systems evolve.

What good looks like (a quick checklist)

Use plain text with standard UK spelling and include:

  1. Who you are (legal name, contact details; add DPO contact if you have one).
  2. What you collect (by category, not every field) and why (purposes).
  3. Lawful bases for each key purpose (consent, contract, legitimate interests, etc.).
  4. Who you share data with (types of recipients—e.g. cloud hosts, email providers, analytics).
  5. International transfers (if data leaves the UK/EU, say where and the safeguards used).
  6. Retention (how long or how you decide).
  7. People’s rights and how to exercise them (including complaints to the ICO).
  8. Automated decision-making if relevant (e.g. credit checks, fraud screening).
  9. Cookies: link to your cookie policy/controls; don’t rely on the Privacy Policy alone for consent.
  10. Versioning: “Last updated” date and a heads-up that you’ll publish material changes.

This mirrors the ICO’s advice to make privacy information complete, easy to find and easy to understand. (ICO)

UK-based places to get a Privacy Policy online

If you don’t have an in-house lawyer, you’ve still got options. A few reputable, UK-based routes:

  • ICO Privacy Notice Generator (free). Ideal for sole traders, start-ups and SMEs to produce a bespoke notice that hits the legal essentials. It’s a great baseline even if you later upgrade. (ICO)
  • SEQ Legal / Docular (templates). Long-standing UK provider with website privacy policy templates designed for UK and EU compliance; downloadable versions available. (Seq Legal)
  • Net Lawman (templates + guidance). UK-focused templates with editing notes to tailor for your site or app; different vertical variants available. (Net Lawman)
  • Simply-Docs (templates). Practical, up-to-date website privacy policy packs frequently used by UK SMEs; often surfaced via UK small-business hubs like TechDonut. (Tech Donut, Eco-Logbook)

Friendly note: generators and templates are a strong start, but your policy must reflect reality—what your site collects, your systems and your vendors. If you change tools (say, you add a new CRM or ad network), update the policy and your consent mechanisms.

How we bake it into your site (the practicalities)

When we launch or refresh a site, we usually recommend:

  • Permanent footer link to your Privacy Policy (and Cookie Policy).
  • Cookie banner + preferences that actually control tags – fully consent mode compliant.
  • Data-capture forms with concise signposts to the relevant bits (lawful basis, key uses and links for more).
  • Versioning: publish a clear “last updated” date.

Final thought

This is your responsibility, not your designer’s not your web developer’s. We can advise, we can help but ultimately the buck stops with the business owner.

A Privacy Policy isn’t a box-ticking PDF; it’s an essential part of your business’s governance. And a company without governance cannot grow safely. You should have had one before you got as far as building a website. Get the legal basics right, write like a human, keep it current and integrate it cleanly into your user journey. Your customers might – and your future self will – thank you.

If you’d like help mapping your data flows, implementing a compliant cookie banner or weaving a compliant Privacy Policy into your site footer, call us, it’s what we do.

This post is practical guidance, not legal advice. For complex setups or cross-border processing, do speak with a qualified lawyer.

References: ICO guidance on privacy information and small-org notices; DPA 2018 overview; PECR cookie consent guidance; EU GDPR Articles 13/14 and Article 3 (territorial scope); UK GDPR territorial scope; CCPA; OAIC guidance (Australia); PIPEDA overview; UK-based policy providers listed above. (ICO, GDPR, California Attorney General, OAIC, priv.gc.ca, Seq Legal, Net Lawman, Tech Donut, Eco-Logbook, lawbite.co.uk)

Drop Us a Line

If you have an idea of any size, scale or ambition contact us for a FREE consultation – we’d love to hear about it. 

If you’re stuck, not getting on with your developers or just unsure how to get to where you want to be online, contact us.

We’ve been doing this a long time, we really should be able to help you and, if we can’t, we ought to be able to tell you who can.

You can call us on 07967 258 776 or email us at [email protected]