If your website has a contact form, you\u2019ll almost certainly need a privacy policy. This is something a lot of people miss when they\u2019re first putting a site together, but once you know what\u2019s required, it\u2019s fairly straightforward to fix.<\/p>\n
Below is what needs to go into it, where it should sit on your site, and why templates often cause more problems than they solve.<\/p>\n
Yes, once your form starts collecting personal details (even just a name and email), you\u2019re expected to have a privacy policy in place.<\/strong><\/p>\n UK GDPR and the Data Protection Act 2018 require any website collecting personal data to publish a privacy policy. It doesn\u2019t matter if it just lands in a Gmail or Outlook inbox and you reply manually. That puts you in the position of a data controller, even if you\u2019re just responding to enquiries from a basic inbox, and data controllers must give people clear information about how their data will be used. This applies just as much to a one-person business as it does to a larger company. A lot of sole traders assume this only applies once you \u201cscale up,\u201d but that\u2019s not how the law treats it.<\/p>\n The full picture on how UK GDPR applies to your website is in How to Make Your Small Business Website GDPR Compliant<\/a> worth reading alongside this article.<\/p>\n At a minimum, your privacy policy should cover a few key points. This is where most template policies fall short, they stay too vague to be useful. Name what data you collect, why you hold it, your lawful basis for processing it, who you share it with, how long you keep it, and how people can request deletion.<\/strong><\/p>\n The ICO’s transparency requirement, Article 13 of UK GDPR, sets out this list precisely. Under ‘what data you collect,’ be specific. For example, if your form asks for a name, email, and message, say exactly that, not just \u201ccontact details.\u201d Under ‘lawful basis,’ state it explicitly. For a typical \u2018get in touch\u2019 form, most businesses rely on legitimate interests, because you\u2019re responding to someone who has actively contacted you, not sending follow-up marketing emails later.<\/p>\n Two details that are easy to overlook (and regularly missing when we review sites): You need to name yourself as the data controller, your business name and, if you are a limited company, your registered number. You should also explain people\u2019s rights, like requesting access, corrections or asking for their data to be deleted, which many shorter template policies skip over.<\/p>\n Ensuring you have a contact form privacy policy in the UK is a matter of both legal compliance and user trust. In practice, you\u2019ll want it in two places: your footer (so it\u2019s always accessible) and right next to your contact form, where someone is about to submit their details.<\/strong><\/p>\n A footer link on its own usually isn\u2019t enough, most people won\u2019t scroll down and go looking for legal pages before submitting a form. UK GDPR requires you to give people privacy information at the time you collect their data. When someone is about to submit a contact form, a link to the policy needs to be visible right there. A simple line under the submit button is usually enough, something short and readable that doesn\u2019t interrupt the form. For example: \u2018We\u2019ll use your details to respond to your enquiry: see our privacy policy.’ or place the link directly beside the submission button.<\/p>\n Your footer link covers general browsing. The in-form link covers the moment of data collection. Both are required.<\/p>\n You can start from a template, but you cannot leave it unchanged and call it compliant.<\/strong><\/p>\n It\u2019s surprisingly common to see templates still containing another company\u2019s name, or leftover sections from whoever created the template in the first place. The ICO specifically advises that a privacy policy must reflect your actual processing activities. For example, a policy that mentions Google Analytics when your site doesn\u2019t use it is technically inaccurate, and something the ICO would expect you to correct if challenged. One that does not mention the inbox where you store enquiries is incomplete.<\/p>\n Templates are fine as a starting point, but they\u2019re not \u201cset and forget\u201d, they need going through line by line against how your site works.<\/p>\n If someone fills in your contact form and later asks what data you hold on them, that counts as a Subject Access Request, and you\u2019ll need to respond within 30 days.<\/strong><\/p>\n Fines are possible, but in reality most small businesses notice the impact elsewhere first, usually when a customer hesitates because something feels incomplete or off. A formal data subject complaint via the ICO creates a paper trail regardless of whether a fine follows. In practice, it often comes down to comparison, especially for service businesses where people are deciding between two similar providers, the one with a properly set up site tends to feel more credible.<\/p>\n If you are also unsure about the checkbox and consent wording on your form, Do I Need a Checkbox on My Contact Form? UK GDPR<\/a> covers exactly what to write and when you need explicit consent.<\/p>\n One thing worth checking while you review your privacy policy: the rest of your site’s compliance. UK law requires a privacy policy, cookie notice, terms and conditions, and the right business information in your footer. Platforms like Wix or Squarespace will give you template pages, but they don\u2019t check whether you\u2019ve filled them in correctly, or at all.<\/p>\n Already have a website? Most sites we review are missing at least one of these, often things like a missing cookie notice, incomplete company details in the footer, or a privacy policy that doesn\u2019t match how the form works. Run it through our free compliance checker:<\/p>\nWhat must a privacy policy include for a UK website in 2026?<\/h2>\n
Where exactly should the privacy policy link appear?<\/h2>\n
Can I use a template privacy policy?<\/h2>\n
What happens if I don’t have a privacy policy?<\/h2>\n