The Short Answer Is Yes, You Do

Let’s get the main point out of the way first: if your website collects any information from visitors — a contact form, an email signup, an online order, anything — you need a privacy policy. This isn’t a nice-to-have or something only big companies deal with. It applies to small businesses, solo operators, and local service providers too.

Many small business owners assume privacy policies are for tech companies handling sensitive data at scale. That’s not how the law sees it. If a visitor fills out your contact form with their name and email address, you’ve collected personal information. What you do with that information — who sees it, whether it gets shared, how long you keep it — is governed by law in multiple states and countries, and your privacy policy is how you communicate those practices to visitors.

What Laws Actually Require It

Even if you’re a small business in Washington State serving mostly local customers, privacy laws with national and international reach can apply to you. California’s Consumer Privacy Act (CCPA) applies to any business that collects personal data from California residents — not just California businesses. The GDPR, the European Union’s privacy regulation, technically applies any time a visitor from the EU accesses your site and you process their data.

Beyond those broad regulations, several specific platforms and services you probably already use require a privacy policy as a condition of their own terms of service. Google Analytics requires one. If you run Facebook or Google ads, those platforms require one. If you use any email marketing tool — Mailchimp, Constant Contact, ConvertKit — they require that your signup forms link to a privacy policy. Not having one can result in your advertising accounts or email marketing accounts being suspended.

In Washington State itself, the My Health MY Data Act (effective 2023 for large entities, 2024 for others) added specific requirements around health-related data. And the Washington Privacy Act continues to evolve. The trend is unmistakably toward more privacy regulation, not less, which means starting with a solid policy now is good positioning for what’s coming.

What a Privacy Policy Actually Needs to Cover

A privacy policy doesn’t need to be a 20-page legal document. For most small businesses, a clear, plain-language policy that covers the following is adequate. You need to describe what personal information you collect (names, email addresses, phone numbers, payment information if applicable). You need to explain how you collect it — directly through forms, automatically through cookies and analytics tools, through third-party services. You need to say what you use that information for: to respond to inquiries, send newsletters, process orders, improve the website. You need to disclose whether you share information with anyone else, and if so, who (email marketing platforms, payment processors, analytics providers). And you need to explain how users can contact you to request their data be deleted or to opt out of certain uses.

If you use Google Analytics, you should specifically mention it and link to Google’s own privacy disclosures, since it involves third-party data processing. Same with any other tools that handle visitor data — Meta Pixel, HubSpot, or similar.

Where to Get One (Without Paying a Lawyer)

For most small businesses, you don’t need a custom-drafted attorney document to have an adequate privacy policy — though if you handle sensitive data like health information or financial information, consulting an attorney is worth doing.

Several reputable tools generate privacy policies tailored to your specific situation. Termly, Iubenda, and Privacy Policies (privacypolicies.com) all offer free or low-cost options that ask you questions about your site and generate appropriate language. They also update their templates as laws change, which matters because a policy written in 2020 may not cover 2024 requirements.

Whatever tool you use, make sure you actually read through the output and verify it accurately describes what your site does. A privacy policy that says you don’t use analytics when you have Google Analytics installed is worse than no policy at all — it’s a false statement to visitors and regulators.

Where to Display It on Your Website

Your privacy policy page should be accessible from every page of your website. The standard location is a link in your footer, alongside your terms of service if you have one. Most visitors won’t read it unprompted, but they should always be able to find it.

Where it becomes more critical is at the point of data collection. If you have an email signup form, there should be a visible link to your privacy policy near the submit button — something like \”We respect your privacy. Read our Privacy Policy.\” This is a legal requirement under GDPR if you have any EU visitors, and it’s considered best practice regardless.

Contact forms, checkout pages, and any other form that collects personal information should also have a visible privacy policy link nearby. This isn’t just about compliance — it’s also about building trust. Visitors who see that you take their privacy seriously are more likely to complete forms and feel confident about doing business with you.

What Happens If You Don’t Have One

For most small businesses, the immediate consequence of not having a privacy policy isn’t a lawsuit or a regulatory fine — though those are real possibilities as privacy enforcement expands. The more immediate practical consequences are: your Google Analytics account can be flagged, your email marketing platform can suspend your account, and your ad accounts can be restricted. These are concrete, near-term problems that a basic privacy policy solves entirely.

There’s also the trust factor. More and more consumers are paying attention to privacy. A website with no privacy policy in 2026 signals carelessness, whether or not that’s fair. A clear, honest privacy policy signals that you’re a professional operation that takes your customers’ information seriously.

If your website needs a privacy policy or a full compliance review, Manson Bay Digital can help you get it right. We work with small businesses to make sure their websites are legally sound, technically solid, and built to earn customer trust from the first click. Reach out at mansonbaydigital.com/contact/ or call (509) 800-7735.