See how we helped Michael

"Fantastic! The legal document I used was so comprehensive and easy to complete. It is very reassuring to know my business now has this level of protection"

Michael S, London

Privacy policy

Privacy policy

Related services


There is a growing trend for websites to store more user information (known as personal data) and to download information (known as cookies) to users' devices. The purpose of a privacy policy is to set out the types of personal data stored on your website and how you will use that personal data. This includes telling users about the cookies used by your website and getting their consent for such use.

What you need to do

You should ensure that a link to your privacy policy is clearly signposted at least on those pages where users enter your website. It is advisable to create an intermediary page in every sale requiring the customer to confirm they have read the privacy policy and terms and conditions of sale. For more information, see our 'Terms and conditions' section. You should also designate one employee as the Data Protection Compliance Manager, and ensure that he or she answers any queries relating to your privacy policy.

Users of your website (known as data subjects) have a right to ask you whether you are processing any personal data about them and, if so, to be given:

  • A description of the personal data
  • Information about why it is being processed
  • Information about those whom you might disclose the personal data to
  • A copy of the information

All employees should be notified of the data protection principles outlined below. Employees attract personal criminal liability for an unauthorised obtaining or disclosure of personal data.

The data protection principles

The eight data protection principles are central to the Data Protection Act 1998. The Data Protection Act is the main body of legislation setting out data protection law in the UK and is based on a European Community Directive. You must comply with these principles at all times in your information-handling practices. The most practically relevant principles say that personal data must be:

(a) Processed fairly and lawfully

(b) Obtained only for one or more specified and lawful purposes and not processed in a manner incompatible with those purposes

(c) Adequate, relevant and not excessive

(d) Accurate and kept up-to-date

(e) Not kept for longer than is necessary

(f) Processed in accordance with the rights of data subjects under the Act

(g) Gathered and processed only where appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

(h) Not transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the processing of personal data


Cookies are text files containing small amounts of information. They are downloaded to a user's device when they visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user's device.

Any website using cookies must:

  • Tell users of the website that cookies are used
  • Explain what the cookies are doing, and
  • Get the user's consent to store the cookies on their device

A user can give implied consent (rather than express consent) but the consent given must always be informed consent. Therefore you should ensure as far as reasonably possible that the user understands that their actions will lead to cookies being set. The consent given should not be ambiguous and the user's actions must clearly indicate consent.

For example, a website could use a pop-up message to let users know that the website uses cookies. The pop-up could contain a link to a separate webpage with further information on the cookies, plus two buttons for the user to either accept or decline the cookies. If the user accepts the cookies, then the consent will be express consent. The pop-up should say that if the user clicks away from the pop-up without accepting or declining, then consent is implied. If the user continues to use the website, having seen this message, it is likely that consent will be implied.

Another way of getting consent is to include the cookies information in the website's terms of use and require a user to tick a box to indicate that they accept those terms.