Two main bodies of law primarily govern the data protection regime within the UK: the UK GDPR and the Data Protection Act 2018.

The UK GDPR sets out prescriptive information and transparency requirements that businesses must satisfy when processing personal data. As part of these information technology requirements, businesses must notify individuals (data subjects) of what personal data they collect and process, the lawful basis for processing such personal data, how it is used, and whether the personal data may be shared with any third parties.

Contact Our Technology Solicitors

What is a Privacy Policy, and does my website need one?

For online businesses, such as e-commerce websites, a Privacy Policy and Cookies Policy enables businesses to comply with the information and transparency requirements of the UK GDPR by setting out in clear, plain English details of that businesses' data processing activities enabling data subjects to understand the scope and nature of how their personal data is used. 

If a website processes personal data, it will need a Privacy Policy and a Cookies Policy (if cookies are used).

When drafting a Privacy Policy, website operators should consider the following:

  • What personal data is collected from data subjects, why it is collected, how it is used, and how long it is stored for;
  • What legal basis (set out within the UK GDPR and the Data Protection Act 2018) the business relies upon for the processing of that personal data;
  • Whether any of the personal data constitutes a special category personal data, i.e., medical history or criminal convictions, and what exemption under the UK GDPR and the Data Protection Act 2018 the business relies upon for the processing of such special category personal data;
  • Whether the personal data is shared with any third parties, such as credit reference agencies or payment gateway providers;
  • Whether the website is targeted (or is likely to be accessed by) children or adults who require assistance in understanding the information presented to them; 
  • Whether the personal data is intended to be used for marketing purposes; and
  • Whether any automated decision-making (or profiling) using the personal data will take place. 

If a business processes the personal data of children or certain special categories of personal data (sensitive personal data such as health or data relating to criminal convictions), then the UK GDPR and Data Protection Act 2018 set out additional prescriptive requirements, which must be complied with. 

Such additional requirements include satisfying the limited grounds for exemption when processing special category personal data (which should be referenced within a Privacy Policy) or ensuring that Privacy Policy is drafted in a way which is easily understandable to a child (where a child's personal data is being processed). Further information regarding compliance with the UK GDPR in the context of children's personal data can be found in our article. 

Get In Touch With Our Technology Team

What is a Cookies Policy, and does my website need one?

Certain cookies can constitute personal data, for example, tracking cookies, as the data contained within the cookies can be linked to an individual's name or contact details. In these instances, the UK GDPR and Data Protection Act 2018 apply to their use, and businesses must comply with the information and transparency requirements of the UK GDPR. 

Website operators should therefore consider the use of a Cookies Policy to notify data subjects clearly and transparently of their use of cookies, including:

  • How long will each cookie be stored on their device;
  • The purpose of the cookie;
  • Whether third parties can set cookies;
  • What third-party cookies are set, and who is the third party setting the cookie; and 
  • Whether third parties can access the data collected by the cookies on the website.

The information contained within a Cookies Policy should be provided when consent for the use of the same is sought, i.e., within a cookies banner which appears to a data subject when they first access the website. 

The UK GDPR sets out prescriptive requirements as to how consent from an individual to the use of cookies may be obtained, and website operators should ensure that their website and Cookies Policy are designed to comply with such requirements. Further information regarding how to obtain valid consent for the use of cookies on the website can be found in our article. 

Speak With Our IT Lawyers

Can I copy a Privacy Policy and Cookies Policy from another website?

Businesses should conduct a data mapping exercise to identify the personal data processed by that business, including what personal data is collected via its website, what it is used for, the legal basis for such processing, and how long the data shall be stored.

A Privacy Policy and Cookies Policy should then be drafted on an individual basis to reflect the data processing activities of that business to ensure compliance with the information and transparency requirements of the UK GDPR. 

By copying another website's policies, a business may breach its requirements under data protection law in its failure to be transparent in its data processing activities. The data processing activities of one business will not necessarily apply to another business, so a Privacy Policy must be drafted to accurately reflect a business's own data processing activities.  

Also, policies and documents set out on another business' website are protected by copyright; therefore, copying another business' policies will constitute an infringement of third party intellectual property rights. 


Contact Our Information Technology Team

How can I get the right documents for my website?

The Information Commissioner's Office (ICO), the UK's regulatory body for data protection law, provides advice and guidance to organisations seeking to comply with their data protection obligations. Further information regarding such assistance from the ICO can be found at Information Commissioner's Office (ICO)

Myerson's team of specialist IT and data protection solicitors regularly draft website Privacy Policies and Cookies Policies and will be able to advise you as to what documents your website requires. In addition to Privacy Policies and Cookies Policies, our commercial solicitors regularly draft other website documents, including E-Commerce Terms of Business and Website Terms of Use; Myerson can assist you further with your e-commerce business.

Get In Touch With Our IT Solicitors

Contact Our Technology Lawyers

If you have any questions regarding data protection law, contact our team of specialist Technology solicitors via the contact form or by calling:

0161 941 4000