Do I need a privacy policy if I don't sell anything?

Likely yes, if you collect any visitor data at all — including through a contact form, comments, a newsletter signup, or analytics cookies. Selling products adds more requirements (like billing data) but isn't what creates the basic obligation.

Is a free privacy policy generator enough?

A generator is a strong starting point and far better than having no policy at all. For most small sites it covers the standard disclosures platforms expect. If your business has unusual data practices or operates in a heavily regulated industry, have a lawyer review the final document.

Where should I publish my privacy policy?

Most sites link to it from the footer on every page, and reference it from signup forms and checkout flows. It should be reachable in one click from anywhere on your site.

← Back to blog

Do I Need a Privacy Policy for My Website?

If your site has a contact form, uses analytics, or processes payments, the short answer is almost always yes. Here's what actually triggers the requirement and what a basic policy needs to cover.

Published 2026-06-13

Not legal advice. This article is for general informational purposes only and does not constitute legal advice. Consult a qualified lawyer for advice specific to your business and jurisdiction.

Short answer: probably yes

Most websites collect some form of personal data, even if it doesn't feel like it. An email address typed into a contact form, an IP address logged by your hosting provider, or a cookie set by an analytics script all count as personal data under most privacy laws.

If your site does any of the following, you should have a privacy policy: collects names or email addresses, uses Google Analytics or a similar tool, runs ads or remarketing pixels, lets users create accounts, or processes payments.

What usually triggers the requirement

Common situations that mean you need a privacy policy:

A contact form, newsletter signup, or account registration
Analytics tools (Google Analytics, Plausible, Hotjar, etc.)
Advertising or retargeting pixels (Google Ads, Meta Pixel)
E-commerce checkout or any payment processing
Mobile apps that use device identifiers, push tokens, or crash reporting SDKs
Any audience in the EU/UK (GDPR), California (CCPA/CPRA), or other regions with privacy laws

What a basic privacy policy should cover

A solid baseline privacy policy explains, in plain language:

What information you collect, and how (forms, cookies, automatically)
Why you collect it and how you use it
Whether you share it with third parties (hosting, analytics, payment providers)
How long you keep it and how users can request access or deletion
How users can contact you with privacy questions
How you'll notify users if the policy changes

What happens if you don't have one

Beyond legal exposure (which varies a lot by country and audience), missing a privacy policy can also block you from tools you need to grow: Google AdSense, many ad networks, Stripe and most payment processors, and app stores all require a published privacy policy as a condition of use.

A privacy policy alone doesn't make a site compliant with every law that might apply to it — but it's the foundational page almost every other requirement builds on, and it's usually the first thing visitors, partners, and platforms look for.

Frequently asked questions

Do I need a privacy policy if I don't sell anything?: Likely yes, if you collect any visitor data at all — including through a contact form, comments, a newsletter signup, or analytics cookies. Selling products adds more requirements (like billing data) but isn't what creates the basic obligation.
Is a free privacy policy generator enough?: A generator is a strong starting point and far better than having no policy at all. For most small sites it covers the standard disclosures platforms expect. If your business has unusual data practices or operates in a heavily regulated industry, have a lawyer review the final document.
Where should I publish my privacy policy?: Most sites link to it from the footer on every page, and reference it from signup forms and checkout flows. It should be reachable in one click from anywhere on your site.

Ready to put your legal pages in place?

Free preview · $9 for the full watermark-free pack (HTML, Markdown & PDF)

Generate my Trust Pack

Explore generators

Privacy Policy GeneratorCreate a GDPR/CCPA-style privacy policy in minutes. Terms of Service GeneratorSet the rules for using your website or app. Cookie Policy GeneratorExplain your use of cookies and tracking technology. Refund Policy GeneratorDefine clear refund and cancellation terms. Website Trust PackGet all legal pages for your website in one go. EULA GeneratorCreate an End User License Agreement for your software, app, or digital product. Accessibility Statement GeneratorShow your commitment to accessible design with a clear accessibility statement. Website Disclaimer GeneratorCover 'no professional advice', 'as is', and external links disclaimers for your site.

More from the blog

Cookie Consent Laws Explained (EU, US, UK)Cookie banners aren't just a EU thing — but the rules are different depending on where your visitors are. Here's what GDPR, PECR, and CCPA/CPRA actually require. GDPR vs CCPA: What Small Website Owners Need to KnowTwo of the most-mentioned privacy laws, in plain language: who they apply to, what they expect from a small site, and a short practical checklist.

See it in action

Curious what the generated documents look like? View a sample Trust Pack for an example business.