JalenBuilds blog / checklist / §48 jalenbuilds.com Updated 06/27

Do I need a privacy policy on my website?

If your site has a contact form or runs analytics, the answer is almost certainly yes. Here is what actually triggers the requirement, what the policy needs to say, and how to get one without overpaying.

It is one of those questions that is easy to put off. The site is up, leads are coming in, and a privacy policy feels like paperwork for big companies. Then you go to run a Google Ad, or set up analytics, or someone emails asking how you store their information, and suddenly it is not optional.

For almost every small business website, the honest answer is yes — you need one. But the reason has less to do with your size and more to do with a single question: does your site collect any personal information at all? If it does, a privacy policy is part of doing it properly.

The short answer

If your website does any of the following, you need a privacy policy:

  • Has a contact form, booking form, or newsletter signup.
  • Runs analytics (Google Analytics, Plausible, or similar).
  • Uses cookies, including the ones ad and analytics tools set automatically.
  • Runs ads through Google or Meta, or plans to.
  • Sells anything, or takes payments of any kind.

That covers nearly every business site. The requirement is triggered by the data you collect, not by your revenue, your headcount, or whether you think of yourself as a "tech" company.

One thing to be clear about up front: this article is general guidance to help you understand the landscape, not legal advice. For your exact situation — especially if you are in a regulated industry — talk to a lawyer.

What actually triggers the requirement

1. You collect personal data

This is the broad one. Personal data means anything that can identify a person: a name, an email address, a phone number, an IP address. A contact form collects it. An email list collects it. Even basic analytics collects IP addresses. Privacy laws across most of the world are built around the idea that if you collect personal data, you must tell people what you are doing with it. That disclosure is what a privacy policy is.

2. You have visitors from the EU or UK (GDPR)

The EU's GDPR and the UK's equivalent apply based on whose data you handle, not where your business is. If people in those regions can visit your site and you collect their data, the law can reach you — even as a small US business. GDPR specifically requires a clear privacy notice. You do not have to be targeting Europe; you just have to be reachable, which every public website is.

3. You have visitors from California and other US states (CCPA and similar)

California's CCPA/CPRA gives residents the right to know what data is collected about them and to ask for it to be deleted. Several other US states have passed similar laws, and the list keeps growing. These laws have size and revenue thresholds, so the smallest businesses may fall below them — but the safe and simple move is to have a policy that explains your practices regardless, because the thresholds change and a clear policy costs little.

4. The tools you use require one

This is the trigger that catches most small businesses first, and it has nothing to do with government regulators. Google Analytics, Google Ads, Meta's ad platform, and most email and form services require a privacy policy in their terms of service. If you run analytics or ads without one, you are out of compliance with the tool, and accounts do get suspended for it. For a lot of owners, this is the practical reason the policy finally gets written.

What a privacy policy needs to include

A good small business privacy policy is short, specific, and accurate. It should answer these questions about your actual site — not a generic template's:

  • What you collect. List the data: names and emails from your contact form, analytics data, cookies, payment details if you take them.
  • How you collect it. Through forms, through analytics scripts, through cookies set by third-party tools.
  • Why you collect it. To respond to inquiries, to send a newsletter someone signed up for, to understand site traffic.
  • Who you share it with. Name the third-party tools — your analytics provider, email service, and form service all receive data.
  • How long you keep it and how it is protected. A plain statement of your retention and basic security practice.
  • What rights visitors have. How someone can ask to see, correct, or delete their data, and that you will honor those requests.
  • How to contact you. A real email address (for most of these sites, contact@jalenbuilds.com-style) where privacy requests go.

The single most important quality is accuracy. A privacy policy that describes data practices you do not actually have is worse than no policy, because it misrepresents what you do. Make it match your real site.

How to actually get one

There are three realistic paths, and the right one depends on how much data you handle.

A privacy policy generator

For a standard service business site — a contact form, analytics, maybe an email list — a reputable privacy policy generator is usually enough to start. The good ones ask which tools you use and produce a policy that reflects them. Many are free or cost $10-50. The key is to choose one that asks specific questions, then read the result and confirm it actually matches your site.

A lawyer-drafted policy

If you handle sensitive data (health, financial, anything about children), sell to EU customers at scale, or operate in a regulated industry, have a lawyer draft it. This typically costs a few hundred to a few thousand dollars and is worth it when the cost of getting it wrong is high.

What to avoid

Do not copy another business's privacy policy. It describes their data practices, not yours, so it is inaccurate from the first day — and it is often copyrighted. The whole point of the document is that it is true about your site.

Where the policy goes

Once you have a policy, it needs to be easy to find. The standard pattern is a "Privacy Policy" link in your website footer, visible on every page. If you have a contact form or newsletter signup, link to the policy near the submit button so people can read it before they hand over their information. If you run ads, the ad platform will often ask you to confirm the policy is live at a public URL.

If you are setting up a new site, this is a small thing to get right at launch rather than bolt on later — it belongs on the same checklist as your sitemap, your contact form testing, and your analytics setup.

FAQ

Do I legally need a privacy policy for my small business website?
Almost certainly yes. If your site collects any personal information — a contact form with a name and email, a newsletter signup, or analytics that tracks visitors — privacy laws and the terms of the tools you use require a privacy policy. There is no business too small to be exempt; the requirement is triggered by the data you collect, not your size. This is general guidance, not legal advice — consult a lawyer for your specific situation.
What happens if I don't have a privacy policy?
Two kinds of risk. Legal exposure: laws like the EU's GDPR and California's CCPA/CPRA carry fines and can apply to you even if you are based elsewhere, as long as you have visitors from those regions. And platform risk: Google Analytics, Google and Meta ads, and most email and form services require a privacy policy in their terms — running them without one can get your account suspended. For most small businesses, the platform risk is the more immediate one.
Can I just copy another company's privacy policy?
No — and it can backfire. A copied policy describes the other company's data practices, not yours, so it is inaccurate the moment you publish it, and an inaccurate policy can be treated as a misrepresentation of how you handle data. It is also often copyrighted. Use a reputable generator that asks about your specific tools, or have one drafted, so it reflects what your site actually does.
Do I need a privacy policy if I only have a contact form?
Yes. A contact form collects personal information — at minimum a name, email, and the message text. That is exactly what privacy laws cover. You need a policy that explains what the form collects, why, where it is stored, and how someone can ask you to delete it. The same applies to a newsletter or booking form.
How much does a privacy policy cost?
Free to a few hundred dollars for most small businesses. Reputable generators offer free or low-cost ($10-50) policies that cover a contact form, analytics, and an email list. A lawyer-drafted policy runs a few hundred to a few thousand dollars and makes sense for sensitive data, EU customers at scale, or regulated industries. For a simple service business site, a generator-based policy checked for accuracy is usually enough to start.

Not sure whether your site is collecting data you have not accounted for — or whether your contact form, analytics, and policy actually line up? A site audit checks your privacy and data-collection setup alongside speed, SEO, and lead capture. If you are building or rebuilding a site and want the basics handled right from launch, a project brief is the fastest way to start.