Under UK GDPR and the Privacy and Electronic Communications Regulations (PECR), any website that collects personal data or uses cookies must have a privacy policy and, where required, a cookies policy. These are legal requirements — not optional extras. Generate a free website privacy and cookies policy here.
Table of Contents
- 1 Create your Free Website Privacy Policy and Cookie Policy
- 2 Guide to Website Privacy and Cookie Policies
- 2.1 Introduction to Website Privacy Policies
- 2.2 Who needs a privacy and cookie policy?
- 2.3 What must a UK privacy policy include?
- 2.4 Cookie consent under PECR
- 2.5 Keeping your policy up to date
- 2.6 Understanding Cookies: A Business Guide
- 2.7 Crafting Your Privacy Policy: Key Elements
- 2.8 Incorporating Cookies Policy: Best Practices
- 2.9 ICO Registration — Do You Need to Register?
- 2.10 UK GDPR vs EU GDPR — What’s the Difference?
- 3 Related legal documents
- 4 Related legal guides
- 5 Legal help
Create your Free Website Privacy Policy and Cookie Policy
Fill in the form below to have a free customised Employment Contract emailed to you in Word format. No credit card, sign-up or subscription needed.
We Support
Guide to Website Privacy and Cookie Policies
Introduction to Website Privacy Policies
A website privacy policy is a legal document that details how a business collects, uses, maintains, and discloses information gathered from its users. This policy is crucial in building trust with your visitors, as it transparently outlines your practices regarding data handling. For businesses in England and Wales, adhering to the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) is essential. These laws necessitate clear communication with your users about their data, making a comprehensive privacy policy not just a legal requirement, but also a cornerstone of consumer confidence.
Your privacy policy should be easily accessible on your website, preferably linked in the footer, so users can review it before engaging with your site. The clarity of this document is paramount; it should avoid legal jargon, making it understandable to the layperson. Remember, the goal is to inform your users, not confuse them. This transparency not only builds trust but also demonstrates your commitment to protecting user privacy, a critical factor in today’s digital age.
The development of a privacy policy should be an ongoing process, reflecting changes in laws, business practices, and technologies. Regular reviews and updates are necessary to ensure continued compliance and relevance. Engaging with a legal professional to draft or review your privacy policy can provide an additional layer of assurance, ensuring that your business stays aligned with current legal standards.
The content of your privacy policy will vary depending on the nature of your business, the data you collect, and how you use that data. However, common elements include types of collected information (personal and non-personal), usage of the data, data protection measures, and the rights of users. Tailoring your privacy policy to your specific business practices is essential for accuracy and effectiveness.
If your website does any of the following, you need a privacy policy:
- Has a contact form that collects names and email addresses
- Has user accounts or registration
- Processes orders or payments
- Uses Google Analytics or any other tracking tool
- Uses remarketing pixels (Facebook, Google Ads, LinkedIn)
- Uses live chat software
- Sends marketing emails or newsletters
Almost every business website falls into at least one of these categories. If yours doesn’t collect any data at all — no analytics, no forms, no cookies — you may not need one. But that is an unusual edge case.
What must a UK privacy policy include?
Under UK GDPR (Article 13/14), your privacy policy must tell users:
- Who the data controller is (your company name and contact details)
- What personal data you collect and why (the legal basis for processing)
- Who you share data with (third-party processors, analytics providers, etc.)
- How long you retain data
- Users’ rights — to access, rectify, erase, restrict, and port their data
- The right to complain to the ICO
- Whether data is transferred outside the UK
Cookie consent under PECR
Under PECR, cookies that are not strictly necessary for the functioning of the website require the user’s prior consent before being set. This means:
- Analytics cookies (Google Analytics, etc.) — require consent
- Marketing and tracking cookies (ad pixels, retargeting) — require consent
- Session cookies necessary for login/basket — do not require consent
The ICO has been clear that pre-ticked boxes and vague “by continuing to use this site” language do not constitute valid consent. You need a proper cookie banner with genuine opt-in for non-essential cookies.
Keeping your policy up to date
Your privacy policy should be updated whenever you change how you collect, use, or store personal data — for example, if you add a new analytics tool, change your CRM, or start email marketing. It is good practice to review it at least annually. Your policy should include the date it was last updated.
Understanding Cookies: A Business Guide
Cookies are small pieces of data stored on a user’s device when they visit a website. They play a crucial role in enhancing user experience by remembering preferences and providing tailored content. However, from a business perspective, it’s vital to understand that cookies also fall under the purview of privacy regulations. In England and Wales, the Privacy and Electronic Communications Regulations (PECR) work alongside the GDPR, governing the use of cookies and similar technologies.
The use of cookies must be transparent, requiring businesses to inform users about their cookie practices and obtain consent before placing cookies on their devices. This consent must be informed, meaning the user should understand what they are agreeing to. A clear and concise cookies policy, detailing the types of cookies used (such as necessary, performance, targeting), their purposes, and how users can manage their preferences, is essential.
For businesses, cookies are valuable tools for website analytics, advertising, and functionality improvements. However, the balance between utility and user privacy must be carefully managed. Implementing a cookie management solution that allows users to give, deny, or withdraw consent can help ensure compliance while maintaining the benefits cookies offer to both users and businesses.
Best practices in cookie management include conducting regular audits of cookie use, ensuring up-to-date consent mechanisms, and providing clear instructions for users wishing to change their cookie settings. Keeping your cookies policy aligned with your privacy policy further enhances transparency and user trust.
Crafting Your Privacy Policy: Key Elements
When crafting your website privacy policy, attention to detail and clarity are paramount. Key elements to include are: the identity and contact details of your business, the types of personal data collected, the purposes and legal basis for processing this data, and details on data sharing and transfer. Additionally, it is important to inform users of their rights under the GDPR, including access, correction, deletion, and data portability.
Transparency about data retention periods and the measures taken to ensure data security are also crucial. Your policy should explain how users can exercise their rights, lodge complaints, and how they will be informed of updates to the policy. Including information on automated decision-making processes, if applicable, can further enhance the comprehensiveness of your policy.
When drafting your privacy policy, consider the user’s perspective. The document should not only comply with legal requirements but also serve as a communication tool between your business and your users. Employing clear, concise language and avoiding unnecessary legal jargon can make your policy more accessible and understandable.
Regular reviews and updates to your privacy policy are essential, especially as your business evolves and as legal and technological landscapes change. Ensuring your policy reflects current practices and legal standards is crucial for maintaining compliance and user trust.
Incorporating Cookies Policy: Best Practices
Including a cookies policy within your privacy policy, or as a separate document, is a best practice that businesses in England and Wales should follow. This policy should detail the types of cookies used, their purposes, and how users can manage their preferences. Obtaining informed consent for cookie usage is a legal requirement, and your policy should clearly articulate how consent is obtained and recorded.
A user-friendly approach, such as an interactive consent mechanism that allows users to choose their cookie preferences, can enhance compliance while respecting user autonomy. Transparency about the use of third-party cookies is also critical, as users must be aware of how their data may be shared with or used by external parties.
Educating your users about cookies—why they are used, how they enhance the website experience, and how users can control their cookie preferences—is an essential aspect of your cookies policy. This education can help demystify cookies for users and mitigate privacy concerns.
Regular audits and updates to your cookies policy ensure it remains accurate and compliant with current regulations. Engaging with legal professionals or data privacy experts can provide valuable insights and help maintain the effectiveness and compliance of your cookies policy.
ICO Registration — Do You Need to Register?
Most UK businesses that process personal data (which includes holding a mailing list, using website analytics, or storing customer records) are required to pay the Information Commissioner’s Office (ICO) data protection fee. The fee is £40 per year for micro and small organisations. Failure to register when required to do so is a criminal offence. There are limited exemptions (for example, personal, household, or journalistic purposes), but most commercial websites will need to register. You can check whether you need to register on the ICO website.
UK GDPR vs EU GDPR — What’s the Difference?
Since Brexit, the UK has its own data protection regime — the UK GDPR — which was derived from the EU GDPR but is now a separate legal instrument. For most UK-based businesses dealing primarily with UK customers, the UK GDPR is the relevant law, supplemented by the Data Protection Act 2018.
If your website has EU customers or users, you may also need to comply with the EU GDPR in addition to (not instead of) the UK GDPR. In practice, a well-drafted UK GDPR privacy policy will satisfy most of the EU GDPR requirements, but you may need specialist advice if your EU user base is significant.
Related legal documents
- Free Website Terms & Conditions Generator
- Free Terms & Conditions for Selling Goods Online
- Free Digital Products Terms & Conditions Generator
Related legal guides
Legal help
Need the help of an expert lawyer with this or something else? We can help.