Privacy Policy for Small Businesses: What It Must Include in 2026

If your website collects any personal information — and almost every website does — you are legally required to have a privacy policy. Contact forms, analytics, email signups, and even cookies all count as personal data collection.

What UK law requires (UK GDPR)

Your privacy policy must state: what data you collect, why you collect it, who you share it with, how long you keep it, and how people can exercise their data rights (access, correction, deletion). The ICO can fine up to £17.5 million for serious breaches.

What US law requires

California (CCPA) requires disclosure of data collection practices and a “Do Not Sell My Information” link. Multiple states now require privacy policies for any business collecting personal data. The FTC considers it deceptive to collect data without disclosure.

Common mistakes

Using a generic template without customising it. Not mentioning specific tools you use (Google Analytics, Mailchimp, chatbots). Not updating it when you add new tools. Hiding it so deeply that visitors cannot find it. Your privacy policy should be linked from the footer of every page.

Scan your website free now — get your health score in 30 seconds →