
Does Your Website Need a Privacy Policy? What Must Go in It
Short answer
If your website collects any personal data from people in the EU, and a contact form, an analytics tag or a newsletter signup already counts, Articles 13 and 14 GDPR require a privacy policy that names who you are, what you collect, why, who receives it, how long you keep it and what rights visitors have. Non-EU companies must also name their Article 27 EU representative in it. Copying another site's policy describes their data flows, not yours, which creates its own liability. Information-duty violations sit in the GDPR's top penalty tier of up to 20 million euro or 4 percent of global turnover.
The short version
Almost every website needs one. Here is why.
There is a page on your website that almost nobody reads, until the one reader arrives who matters: a data protection authority, a privacy-savvy customer, or the lawyer of someone who just filed a complaint. That page is the privacy policy, and the question of whether you need one has a shorter answer than most legal questions: if your site collects any personal data from people in the EU, you do.
The bar for "collects personal data" is far lower than most site owners think. A contact form counts. A newsletter signup counts. An analytics script, an embedded YouTube video, a login, a comment box, even server logs storing IP addresses, all of it is personal data under the GDPR. A website that does none of those things is rare enough to be a curiosity.
Who is caught
The law follows your visitors, not your address
The GDPR does not care where your company is registered. Under Article 3(2), it reaches any business, anywhere in the world, that offers goods or services to people in the EU or monitors their behaviour. A US SaaS with European users, a Canadian shop that ships to Germany, an Australian app with French downloads: all inside scope, all owing the same disclosures as a company in Berlin.
There is no revenue threshold and no company-size exemption for the information duties. And the EU is not alone: California's CCPA, the UK GDPR and a growing list of state and national laws all require substantially the same document. In practice, one well-built privacy policy covers the lot, which is also why skipping it fixes nothing and writing it once fixes almost everything.
For non-EU companies there is a twist that most templates miss entirely: if the GDPR applies to you and you have no office in the EU, Article 27 requires you to appoint an EU representative, and your privacy policy is precisely where that representative must be named. A missing representative line is visible to any investigator in a single page view.
The contents
What a privacy policy must actually say

Articles 13 and 14 are unusually concrete for legal text. Translated out of legalese, your policy needs to answer these questions about your site, not about websites in general:
- Who you are. Legal name, address and a working contact for privacy matters. For non-EU companies caught by the GDPR: the name and address of your EU representative, and of your data protection officer if you have one.
- What you collect and why. Each category of data (contact details, payment data, usage data) tied to a purpose and a legal basis. "We may collect certain information for various purposes" is the sentence regulators quote in their findings.
- Who receives it. Your processors and recipients in plain categories: hosting, analytics, email provider, payment processor. If data leaves the EU, say so and name the safeguard.
- How long you keep it. Retention periods, or at least the criteria that decide them.
- What visitors can do about it. The data subject rights: access, correction, deletion, objection, portability, the right to withdraw consent and the right to complain to a supervisory authority.
- Where the data comes from, if you did not collect it from the person directly. That is the Article 14 half that scraped and purchased lists trip over.
None of this requires poetry. It requires accuracy, which is exactly what makes the next section the most important one.
One document is not the other two
Privacy policy, cookie policy, terms: three jobs, not one
Site owners routinely treat these as interchangeable legal wallpaper. They answer different questions, and only one of them is generally required by law.
Privacy policy
- Covers
- How you handle personal data end to end
- Named in
- A link reachable from every page
- Enforced by
- Data protection authorities
Cookie policy
- Covers
- The specific cookies and trackers your site sets
- Named in
- Your consent banner and footer
- Enforced by
- ePrivacy rules and DPAs
Terms of service
- Covers
- The deal between you and your users
- Named in
- Signup and checkout flows
- Enforced by
- Contract law and courts
The privacy policy is the load-bearing one. It is also the only one of the three where the law dictates the table of contents, which is why it is the document you should generate from your real setup rather than adapt from someone else's.
The copy trap
Why borrowing another site's policy backfires
The most common way privacy policies get written is also the worst one: find a competitor, copy, replace the company name, publish. It feels safe because the text looks legal. It is the opposite of safe, for one simple reason: a privacy policy is not boilerplate, it is a factual statement about your data flows.
The copied policy names tools you do not run and misses the ones you do. It promises retention periods you have never implemented. It cites a data protection officer you do not have, or omits the EU representative you are required to name. Every one of those mismatches is a small, provable inaccuracy sitting on your own domain, and regulators treat inaccurate privacy information as a violation in itself, separate from whatever the underlying data practice is. In the US, the FTC has built enforcement actions on exactly that gap between what a policy says and what a company does.
The fix is not to write like a lawyer. It is to describe your actual setup, plainly, and keep the document in sync when your setup changes.
The move
How to get a correct policy in under an hour

- Inventory what your site actually does. Forms, signups, analytics, embedded content, payments, logins. Ten minutes with your own website and your tag manager tells you what belongs in the policy.
- Generate the document from your answers. Our free privacy policy generator walks you through the questions and produces a GDPR-ready policy for a website or app. It runs entirely in your browser, we never see or store your answers, and it costs nothing, no email required.
- Add the two things only you know. Your real retention practice and your full list of processors. This is the ten percent that turns a good template into an accurate disclosure.
- Link it from every page and keep it current. Footer link, signup forms, checkout. When you add a tool or change providers, the policy changes with it. If you already have a policy, our privacy policy checker shows you in a minute which GDPR essentials it is missing, including the Article 27 line.
Need a privacy policy that matches your actual website?
Answer a few questions and get a GDPR-ready privacy policy in minutes. Runs in your browser, nothing is stored, no email required.
One honest caveat to end on: a generated policy documents your setup, it does not change it. If your site tracks people before consent or you are missing your EU representative, the policy will be accurate and your setup will still have gaps. That is the part where USANTIS earns its keep: we act as the Article 27 EU representative for non-EU companies, the exact line most self-written policies leave blank. Check whether you need one in about a minute with the free compliance checker, then write the policy that says so.
Frequently asked questions
Written by
Usantis
The Usantis editorial team writes about EU representation and Article 27 GDPR for companies based outside the EU. More articles
Related articles
Cookie Audit: What Your Site Sets Before Anyone Clicks Accept
Your consent banner asks the question. Your website often does not wait for the answer. Here is how to find out what your site really sets before a visitor clicks anything, and what to do about the gap, because that gap is the most common cookie violation there is.
GDPR BasicsThe UK Has Its Own GDPR Now. Your EU Representative Does Not Cover It.
When the UK left the EU it kept the GDPR and made its own copy. Two regulations, two regulators, and for a lot of companies outside both, two separate representatives. Here is when the EU one you already have is only half the job.
GDPR BasicsWhere Must Your EU Representative Actually Be Located?
Do you need a representative in every EU country, just in Ireland, or somewhere specific? The location question trips up almost everyone, and the real answer is simpler and cheaper than the myths suggest.
Stay off the enforcement tracker.
See whether Article 27 applies to you in about a minute, then set up your EU representative.