Website Legal Requirements – Privacy Policy – Basics for your Website

If you are operating a website and require users to register in order to use your website or you are simply using Google analytics on your website then you are collecting and processing personal data. Under the Data Protection Act 1998, if you collect, store or process personal data you must provide specific information to the persons whose personal data you are using. This information is usually provided to users in a privacy policy which should be published on your website.

The following basic issues should be covered in your privacy policy.

Personal Data Practices

Your privacy statement should reflect your personal data practices. For example, it should include details of:

  • The type of data being collected;
  • Why the data is collected;
  • How the data is used and why;
  • If and why personal data will be disclosed to third parties;
  • How and where data is stored;
  • How complaints or queries about personal data will be dealt with.


Cookies are small text files placed on a user’s computer which record online activity. Virtually all websites use cookies. Most use analytics cookies to measure visits and use of websites. Performance and functionality cookies are used to make repeated use of a website more comfortable for the user and advertising cookies are increasingly used to collect information about users for targeted marketing.

In your privacy policy you must provide users with clear and comprehensive information about the type of cookies being used on your website and the purposes for which the information is collected.

Where should the Privacy Policy Appear on my Website

The privacy policy should be easy to find on your home page and/or at the point where you obtain consent to the collection of the personal data i.e. where a user registers on your website. It is advisable to have links between the privacy policy and all references made to it on your website. For example, if you are providing online recruitment services you should place your privacy policy on your home page and also have a link to it when users register to use your website or services. In addition you should have a process for the user to confirm acceptance of your privacy policy i.e. by actively clicking an acceptance box or a double opt-in email process.

Compliance with other Laws

You will need to consider your compliance with any other applicable laws or rules, which will apply in relation to the collection of a user’s personal data. Which other laws apply will depend upon a number of factors. For example if you are selling or providing services to children (persons under the age of 18) you must have additional safeguards in place on your website. For example, you will need to obtain parental consent before you collect any personal data for children of certain ages. Or if you are providing services to children which include advertising or marketing you will need to comply with the CAP Code.

The type of products or services that you are offering online and the countries in which you are making these available will also be relevant – as this will determine whether national, EU and/or international laws will also apply to your website. Depending on the business sector in which you operate, the rules of self-regulatory schemes may also apply. For example, if you are providing email marketing services to users you will need to comply with applicable email marketing and advertising rules.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: