Does My Contact Form Need a Privacy Policy UK?
If your website has a contact form, you’ll almost certainly need a privacy policy. This is something a lot of people miss when they’re first putting a site together, but once you know what’s required, it’s fairly straightforward to fix.
Below is what needs to go into it, where it should sit on your site, and why templates often cause more problems than they solve.
Do I legally need a contact form privacy policy in the UK?
Yes, once your form starts collecting personal details (even just a name and email), you’re expected to have a privacy policy in place.
UK GDPR and the Data Protection Act 2018 require any website collecting personal data to publish a privacy policy. It doesn’t matter if it just lands in a Gmail or Outlook inbox and you reply manually. That puts you in the position of a data controller, even if you’re just responding to enquiries from a basic inbox, and data controllers must give people clear information about how their data will be used. This applies just as much to a one-person business as it does to a larger company. A lot of sole traders assume this only applies once you “scale up,” but that’s not how the law treats it.
The full picture on how UK GDPR applies to your website is in How to Make Your Small Business Website GDPR Compliant worth reading alongside this article.
What must a privacy policy include for a UK website in 2026?
At a minimum, your privacy policy should cover a few key points. This is where most template policies fall short, they stay too vague to be useful. Name what data you collect, why you hold it, your lawful basis for processing it, who you share it with, how long you keep it, and how people can request deletion.
The ICO’s transparency requirement, Article 13 of UK GDPR, sets out this list precisely. Under ‘what data you collect,’ be specific. For example, if your form asks for a name, email, and message, say exactly that, not just “contact details.” Under ‘lawful basis,’ state it explicitly. For a typical ‘get in touch’ form, most businesses rely on legitimate interests, because you’re responding to someone who has actively contacted you, not sending follow-up marketing emails later.
Two details that are easy to overlook (and regularly missing when we review sites): You need to name yourself as the data controller, your business name and, if you are a limited company, your registered number. You should also explain people’s rights, like requesting access, corrections or asking for their data to be deleted, which many shorter template policies skip over.
Where exactly should the privacy policy link appear?
Ensuring you have a contact form privacy policy in the UK is a matter of both legal compliance and user trust. In practice, you’ll want it in two places: your footer (so it’s always accessible) and right next to your contact form, where someone is about to submit their details.
A footer link on its own usually isn’t enough, most people won’t scroll down and go looking for legal pages before submitting a form. UK GDPR requires you to give people privacy information at the time you collect their data. When someone is about to submit a contact form, a link to the policy needs to be visible right there. A simple line under the submit button is usually enough, something short and readable that doesn’t interrupt the form. For example: ‘We’ll use your details to respond to your enquiry: see our privacy policy.’ or place the link directly beside the submission button.
Your footer link covers general browsing. The in-form link covers the moment of data collection. Both are required.
Can I use a template privacy policy?
You can start from a template, but you cannot leave it unchanged and call it compliant.
It’s surprisingly common to see templates still containing another company’s name, or leftover sections from whoever created the template in the first place. The ICO specifically advises that a privacy policy must reflect your actual processing activities. For example, a policy that mentions Google Analytics when your site doesn’t use it is technically inaccurate, and something the ICO would expect you to correct if challenged. One that does not mention the inbox where you store enquiries is incomplete.
Templates are fine as a starting point, but they’re not “set and forget”, they need going through line by line against how your site works.
What happens if I don’t have a privacy policy?
If someone fills in your contact form and later asks what data you hold on them, that counts as a Subject Access Request, and you’ll need to respond within 30 days.
Fines are possible, but in reality most small businesses notice the impact elsewhere first, usually when a customer hesitates because something feels incomplete or off. A formal data subject complaint via the ICO creates a paper trail regardless of whether a fine follows. In practice, it often comes down to comparison, especially for service businesses where people are deciding between two similar providers, the one with a properly set up site tends to feel more credible.
If you are also unsure about the checkbox and consent wording on your form, Do I Need a Checkbox on My Contact Form? UK GDPR covers exactly what to write and when you need explicit consent.
One thing worth checking while you review your privacy policy: the rest of your site’s compliance. UK law requires a privacy policy, cookie notice, terms and conditions, and the right business information in your footer. Platforms like Wix or Squarespace will give you template pages, but they don’t check whether you’ve filled them in correctly, or at all.
Already have a website? Most sites we review are missing at least one of these, often things like a missing cookie notice, incomplete company details in the footer, or a privacy policy that doesn’t match how the form works. Run it through our free compliance checker:
Your website sorted properly, not just theoretically
Duport builds professional websites for UK small businesses. Every site includes the key legal pages, written to match your business, rather than copied from a generic template.
Duport’s website build starts from £360. Mention this article when you get in touch and we’ll honour the £144 rate.
This article is for general guidance. For advice specific to your business, speak to a qualified solicitor or data protection specialist.
FAQs
-
Does a sole trader need a privacy policy on their website?
Yes, this applies whether you’re a sole trader or a limited company, that’s another one people often assume only applies to larger businesses. If your site collects personal data, the requirement is the same.
-
Does my privacy policy need to mention cookies?
Yes, if your site uses cookies, which most sites do. Cookie use is typically covered in a separate cookie notice, but your privacy policy should reference it and link to it.
-
How often should I update my privacy policy?
Review your policy whenever data processing changes. This includes adding tracking tools, email marketing, or changing how you handle enquiries. Update it for legal changes too. The ICO updated its guidance in March 2026 following the DUAA 2025. Policies written before then may now be outdated.
-
Is my Wix or Squarespace website legally compliant in the UK?
Not automatically. UK law requires a privacy policy, cookie notice, and clear terms. Limited companies must also display their registered name and number. Most website builders provide basic templates. However, they do not check if your content is accurate or complete. Use our free website compliance checker to see what your site has and what it’s missing.
