Privacy Policy for Small Business: What You Actually Need (2026 Guide)
Most small business privacy policies either say too little (exposing you to fines) or copy-paste legal boilerplate that doesn't match what they actually do (also a violation). Here's exactly what needs to go in yours.
Do You Actually Need a Privacy Policy?
Almost certainly yes, if any of the following apply to your business:
- Your website collects any personal information (including via contact forms, newsletter signups, or analytics)
- You use Google Analytics, Meta Pixel, or any other tracking technology
- You have customers or visitors from the EU, UK, or California
- You use an email marketing tool like Mailchimp or ConvertKit
- You sell anything online and collect shipping or billing addresses
- You have a mobile app
In practice, this covers nearly every modern business with an online presence. The cost of not having a policy isn't just fines — it's lost trust, failed app store reviews, and being excluded from ad networks that require one.
Quick answer for the impatient: If your site has a contact form, uses Google Analytics, or accepts payments — you need a privacy policy. Full stop.
What the Law Actually Requires
Two regulations drive most small business requirements: GDPR (which applies to anyone serving EU/UK users) and CCPA (which applies to businesses serving California residents above certain thresholds). The requirements overlap significantly, so meeting GDPR usually covers CCPA.
| Requirement | GDPR (EU/UK) | CCPA (California) |
|---|---|---|
| Who it covers | Any business serving EU/UK residents | Businesses with >$25M revenue, 100K+ users, or >50% revenue from data |
| Privacy notice required | ✓ Yes, at point of data collection | ✓ Yes, in website footer |
| Disclose data categories | ✓ Required | ✓ Required |
| State purpose of collection | ✓ Required | ✓ Required |
| Retention periods | ✓ Required (specific) | Recommended |
| User rights (access, delete) | ✓ Required | ✓ Required |
| Legal basis for processing | ✓ Required | Not required |
| Cookie consent | ✓ Opt-in required | Opt-out required |
The 8 Sections Every Small Business Privacy Policy Needs
You don't need 30 pages. You need a policy that's honest, accurate, and covers the required disclosures. Here's the minimum viable structure:
Your full legal business name, address, and contact information. Under GDPR, this is the "data controller" identity. Under CCPA, it's the business disclosure. This establishes who is legally responsible for the data.
Be specific and honest. List every category: name, email, IP address, location data, payment information, behavioral data (analytics), usage data, etc. Vague language like "information you provide" is not sufficient under GDPR. If you collect it, disclose it.
For GDPR, you must state the legal basis for each type of processing: consent, legitimate interests, contractual necessity, or legal obligation. For most small businesses: consent (email marketing), contractual necessity (order fulfillment), and legitimate interests (fraud prevention, analytics) cover most use cases.
Explain each purpose: processing orders, sending newsletters, improving the product, preventing fraud, customer support, etc. Keep this aligned with your stated legal basis — you cannot later use data for a purpose you didn't disclose.
List every third party that receives personal data: payment processors (Stripe), email providers (Mailchimp), analytics (Google), hosting (AWS, Vercel, Netlify), customer support tools (Intercom), etc. You must also mention if data is transferred outside the EU/EEA and what safeguards apply.
GDPR requires specific retention periods, not vague language. Examples: "We retain contact form submissions for 24 months", "Order data is kept for 7 years for tax compliance", "Analytics data is retained for 26 months." Align this with your actual practice — storing data longer than stated is itself a violation.
Under GDPR: right to access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and objection. Under CCPA: right to know, right to delete, right to opt-out of sale, right to non-discrimination. Explain how users can exercise each right and your response timeline (30 days under GDPR).
Explain that you use cookies, what categories (essential, analytics, marketing), and how users can manage their preferences. This section should link to or describe your cookie consent mechanism. Under GDPR, this must include that consent can be withdrawn at any time.
The "Good vs. Bad" Privacy Policy Language Test
The following examples show the difference between vague language that doesn't satisfy regulators and specific language that does:
Data Retention
"We retain your data for as long as necessary to provide our services."
"We retain customer account data for the duration of your account and 3 years after closure. Order data is kept for 7 years for legal and tax compliance."
Third-Party Sharing
"We may share your information with trusted third parties."
"We share your payment data with Stripe (payment processing), your email with Mailchimp (marketing emails), and anonymized usage data with Google Analytics. All processors are bound by Data Processing Agreements."
User Rights
"You have certain rights regarding your data. Please contact us for more information."
"You have the right to request access to, correction of, or deletion of your personal data. Submit requests to privacy@yourdomain.com. We will respond within 30 days. EU residents may also lodge a complaint with their local supervisory authority."
Where to Display Your Privacy Policy
Placement matters as much as content. Your privacy policy must be:
- Linked in your website footer — accessible from every page. This is the minimum.
- Linked at every data collection point — contact forms, signup forms, checkout pages. "By submitting, you agree to our Privacy Policy" with a working link.
- Linked before cookie consent — your cookie banner must reference your privacy policy before users give consent.
- Not behind a login wall — must be publicly accessible without creating an account.
- Don't bury it in multi-page terms combined documents without clear section headings. Regulators consider this obscuring required disclosures.
Common Mistakes That Get Businesses Fined
- Copying someone else's policy. If you copy a policy that doesn't match your data practices, you've now published inaccurate disclosures — which is worse than no policy.
- Using a free template that lacks jurisdiction-specific language. GDPR requires specific disclosures that CCPA doesn't and vice versa.
- Failing to update the policy when your practices change. Adding a new analytics tool or marketing platform without updating your policy is a violation.
- Listing data processors you don't actually use. Inflation to look "complete" can backfire — you're implying data-sharing that doesn't happen.
- A privacy policy without an actual cookie consent mechanism. Having the policy but loading tracking scripts before consent is a violation regardless of what the document says.
How to Keep Your Policy Updated
Your privacy policy is a living document. You should review and update it:
- At least annually, even if nothing has changed
- Any time you add a new data collection mechanism (contact form, newsletter, analytics)
- Any time you switch or add a third-party tool that handles user data
- When major regulatory changes occur (new legislation, amended guidelines)
- When you expand to new markets or jurisdictions
Keep a version history and include a "Last Updated" date prominently at the top of the policy. Regulators look at this during investigations.
The Terms of Service Question
A privacy policy and terms of service are different documents serving different purposes. Your privacy policy explains how you handle data (a legal requirement). Your terms of service defines the user relationship, limits your liability, and sets rules for your service (a business protection document).
You need both. Most businesses that have one are missing the other.
Get a properly-drafted privacy policy in minutes
The Compliance Starter Pack generates a jurisdiction-specific privacy policy, terms of service, cookie consent banner, and accessibility widget for your exact business. One-time payment, immediate download.
Generate My Policy — $6.99This guide is for informational purposes only and does not constitute legal advice. Privacy regulations vary by jurisdiction and change over time. For complex data practices or high-risk processing activities, consult a qualified data protection attorney or DPO.