A lot of small business owners assume a privacy policy is something only big companies need. That it's legal boilerplate for corporations with millions of users, not for a local bakery or a community nonprofit with a contact form.
That assumption is wrong, and it can create real problems. Here's what's actually happening on most small business websites, and what you should do about it.
Your website is already collecting data
Even if you've never thought about it, your site is likely collecting personal information in at least one of these ways:
- A contact form, name, email, phone number, whatever someone types in
- Google Analytics or similar tools, visitor IP addresses, browser type, location, pages viewed
- Third-party embeds, a YouTube video, a Google Maps widget, or a social media button can all set cookies and collect data on your visitors
- Form submission services, tools like Web3Forms or Formspree receive and store the data your contact form collects
The moment you collect any personal data from a visitor, you have a legal obligation to disclose it. That disclosure is your privacy policy.
What the law actually requires
Privacy law has gotten more specific in recent years. You don't need to know every regulation in detail, but these are the ones most likely to apply to a small US-based website:
- CalOPPA (California Online Privacy Protection Act), applies to any website accessible to California residents, which is basically every website. Requires a privacy policy that's clearly posted and describes what you collect.
- GDPR, applies if any of your visitors are in the EU. Even if you're not targeting European customers, if your site is publicly accessible and a visitor from Germany lands on it, GDPR applies to that interaction.
- State laws, Virginia, Colorado, Texas, and several other states have passed their own data privacy laws in recent years. Most have similar disclosure requirements.
"I'm a small business" is not a legal exemption. The size of your operation doesn't change whether you're collecting data, it just changes how much data you're collecting.
The good news: a simple, honest privacy policy is enough for most small business websites. You don't need a lawyer. You don't need a complicated document. You just need to tell people what you collect and why.
What to include in a simple privacy policy
For a basic small business site, your privacy policy should cover these things:
- What information you collect, form submissions, analytics data, cookies
- How you use it, to respond to inquiries, to understand site traffic, etc.
- Who you share it with, any third-party tools (Google Analytics, your form service, your email provider)
- How long you keep it, "until you unsubscribe" or "as long as your inquiry is open" are fine answers
- How someone can contact you, an email address where people can ask about their data
- When this policy was last updated, a date at the top or bottom
That's it. One page, plain English, no legalese required.
Where to get a free privacy policy
You have a few good options:
- Termly, generates a privacy policy based on your answers to simple questions. Free tier is solid for small sites.
- Privacy Policy Generator (privacypolicygenerator.info), straightforward, no account required.
- Your form service, tools like Formspree and Web3Forms often have template policies you can adapt.
Once you have the text, add a link to it in your site footer. Every page should be able to reach it in one click.
One more thing: link to it from your contact form
The most important place to link your privacy policy is right next to your contact form. A short line like "We only use this to respond to your message. See our privacy policy." takes five seconds to add and tells visitors you take their information seriously.
It also reduces the hesitation some people feel before filling out a form. It's a small thing that does real work.
Common questions about website privacy policies
Does a small business website really need a privacy policy?+
Yes, if it collects any personal data, and most do. A contact form, Google Analytics, or third-party embeds like a YouTube video or Google Maps widget all collect information from visitors. "I'm a small business" is not a legal exemption. The moment you collect personal data, you have an obligation to disclose it, and that disclosure is your privacy policy. This is general information, not legal advice.
What data is my website collecting without me realizing it?+
More than most owners expect. A contact form captures names, emails, and phone numbers. Tools like Google Analytics log visitor IP addresses, browser type, location, and pages viewed. Third-party embeds and form services like Web3Forms or Formspree also receive and store data. Even if you never set this up deliberately, it is likely happening on your site.
What should a simple privacy policy include?+
For a basic small business site, cover what information you collect, how you use it, who you share it with, how long you keep it, how someone can contact you about their data, and when the policy was last updated. That is it, one page in plain English with no legalese required. This is general guidance, not legal counsel.
Where can I get a free privacy policy?+
There are a few good options. Termly generates a policy from simple questions, with a free tier that works for small sites. Privacy Policy Generator at privacypolicygenerator.info is straightforward and needs no account. Your form service, such as Formspree or Web3Forms, often has template policies you can adapt. Once you have the text, add a link to it in your site footer so every page can reach it in one click.
Where should I link to my privacy policy?+
Put a link in your site footer so it is reachable from every page in one click, and add one right next to your contact form. A short line like "We only use this to respond to your message. See our privacy policy." takes five seconds to add and reassures visitors you take their information seriously. It also reduces the hesitation some people feel before filling out a form.
Read more: What makes a website look trustworthy.
Want a free website that comes with a privacy policy already in place? See how Webspansion helps small businesses.