A lot of small business owners assume a privacy policy is something only big companies need. That it's legal boilerplate for corporations with millions of users, not for a local bakery or a community nonprofit with a contact form.
That assumption is wrong, and it can create real problems. Here's what's actually happening on most small business websites — and what you should do about it.
Your website is already collecting data
Even if you've never thought about it, your site is likely collecting personal information in at least one of these ways:
- A contact form — name, email, phone number, whatever someone types in
- Google Analytics or similar tools — visitor IP addresses, browser type, location, pages viewed
- Third-party embeds — a YouTube video, a Google Maps widget, or a social media button can all set cookies and collect data on your visitors
- Form submission services — tools like Web3Forms or Formspree receive and store the data your contact form collects
The moment you collect any personal data from a visitor, you have a legal obligation to disclose it. That disclosure is your privacy policy.
What the law actually requires
Privacy law has gotten more specific in recent years. You don't need to know every regulation in detail, but these are the ones most likely to apply to a small US-based website:
- CalOPPA (California Online Privacy Protection Act) — applies to any website accessible to California residents, which is basically every website. Requires a privacy policy that's clearly posted and describes what you collect.
- GDPR — applies if any of your visitors are in the EU. Even if you're not targeting European customers, if your site is publicly accessible and a visitor from Germany lands on it, GDPR applies to that interaction.
- State laws — Virginia, Colorado, Texas, and several other states have passed their own data privacy laws in recent years. Most have similar disclosure requirements.
"I'm a small business" is not a legal exemption. The size of your operation doesn't change whether you're collecting data — it just changes how much data you're collecting.
The good news: a simple, honest privacy policy is enough for most small business websites. You don't need a lawyer. You don't need a complicated document. You just need to tell people what you collect and why.
What to include in a simple privacy policy
For a basic small business site, your privacy policy should cover these things:
- What information you collect — form submissions, analytics data, cookies
- How you use it — to respond to inquiries, to understand site traffic, etc.
- Who you share it with — any third-party tools (Google Analytics, your form service, your email provider)
- How long you keep it — "until you unsubscribe" or "as long as your inquiry is open" are fine answers
- How someone can contact you — an email address where people can ask about their data
- When this policy was last updated — a date at the top or bottom
That's it. One page, plain English, no legalese required.
Where to get a free privacy policy
You have a few good options:
- Termly — generates a privacy policy based on your answers to simple questions. Free tier is solid for small sites.
- Privacy Policy Generator (privacypolicygenerator.info) — straightforward, no account required.
- Your form service — tools like Formspree and Web3Forms often have template policies you can adapt.
Once you have the text, add a link to it in your site footer. Every page should be able to reach it in one click.
One more thing: link to it from your contact form
The most important place to link your privacy policy is right next to your contact form. A short line like "We only use this to respond to your message. See our privacy policy." takes five seconds to add and tells visitors you take their information seriously.
It also reduces the hesitation some people feel before filling out a form. It's a small thing that does real work.
Read more: What makes a website look trustworthy.
Want a free website that comes with a privacy policy already in place? See how Webspansion helps small businesses.