Almost every commercial small business website needs a privacy policy in 2026 — and a copy-pasted one creates more risk than it removes. Privacy policies aren't just a compliance checkbox; they're a legally required disclosure under federal law, state law, and the terms of nearly every analytics, advertising, and payment tool your website touches.

I'm David Campbell, founder of Nerd Stack. Privacy is one of the quiet compliance areas most small businesses get wrong — usually by copying a generic policy off a template site that doesn't match what they actually do. This guide is the plain-English overview of when you need a privacy policy, what should be in it, and what makes one actually useful. This is an overview for business owners, not legal advice — work with counsel on specific exposure. It pairs with our guides on cookie banners and state privacy laws.

Yes — You Almost Certainly Need One

If your website collects any personal information from visitors — a name, an email address, a phone number, a payment, an IP address through analytics, a cookie — you need a privacy policy. That's effectively every commercial website in operation.

The requirement comes from multiple overlapping sources:

  • State privacy laws. California's CalOPPA, dating to 2003, requires any website that collects personal information from California residents to post a privacy policy. By 2026, roughly twenty U.S. states have followed with comprehensive privacy laws that include privacy-policy obligations.
  • Sector-specific federal laws. The Children's Online Privacy Protection Act (COPPA) requires privacy disclosures from any site directed at children under 13. The Gramm-Leach-Bliley Act (GLBA) governs financial businesses. HIPAA governs health information. Each carries privacy-notice requirements.
  • Third-party tool requirements. Google Analytics, Google Ads, Meta Pixel, Stripe, Shopify, Mailchimp, and almost every commonly used website tool require their users to maintain a privacy policy as a condition of service. Violating those terms can shut your tools off.
  • International obligations. If anyone from the EU or UK uses your site, the GDPR applies — and the GDPR's transparency requirements demand a privacy policy.

The practical answer: if you sell anything online, capture leads, use analytics, run ads, or accept payments — you need a privacy policy, regardless of your size.

What a Real Privacy Policy Actually Includes

A privacy policy is supposed to describe what you actually do with personal information. That sounds obvious — but the most common reason policies fail audits or get cited in complaints is that they describe practices that don't match the business's reality. Pasting a template policy off the internet creates exactly this problem.

The sections every privacy policy should cover:

  • What data you collect. Names, emails, phone numbers, payment data, IP addresses, location, device information, cookie data — whatever your site actually captures, listed explicitly.
  • How you collect it. Forms, account creation, analytics tracking, cookies, third-party integrations.
  • Why you collect it. Specific purposes: provide the service, process payments, send marketing communications, analyze traffic, fulfill legal obligations.
  • Who you share it with. Service providers (hosting, payment processors, email tools), advertising partners, analytics tools, any third-party recipients. Naming categories of recipients is required in California and several other states.
  • How long you keep it. Retention periods or the criteria you use to decide when data is deleted.
  • User rights. What rights visitors have — access, deletion, correction, opt-out — and how to exercise them. Most state laws now require an explicit description.
  • Cookies and tracking. What cookies you use and what they do. Covered more deeply in our cookie banners guide.
  • How to contact you. A real, monitored email address (and ideally a postal address) for privacy inquiries.
  • When the policy was last updated. A visible "Last Updated" date.
  • How updates are handled. A clause explaining that updates will be posted, and how visitors will be notified.

The Common Mistakes

  • Copy-pasted from another site. The policy describes practices that don't match yours. Worse, the contact information often still belongs to the other business.
  • Missing required state disclosures. California's CCPA/CPRA and the newer state laws each require specific disclosures (categories of data, user rights, opt-out mechanisms). Generic policies skip these.
  • Doesn't list the tools. If you use Google Analytics, Meta Pixel, Mailchimp, Stripe, or Shopify, those should be referenced as the data recipients they are. Most generic policies don't.
  • The contact email isn't monitored. A privacy contact email nobody reads is functionally an unanswered legal request waiting to happen. Pick an inbox someone actually checks.
  • Never updated. The "Last Updated" date is from 2019. A stale policy is one of the easier things for a regulator or complainant to flag.
  • Hidden in the footer in 6-point gray. The policy must be findable. A standard footer link in legible type is the convention.

What About Privacy Policy Generators?

Privacy policy generators (Termly, iubenda, FreePrivacyPolicy, and others) are a reasonable starting point for a small business — they walk you through the disclosures and produce a policy that covers the basics. Two caveats:

  • Customize the generated text. Generators produce a baseline policy, but the result is only useful if it matches what your business actually does. Edit the data-collection and tool list to reflect reality.
  • Review with counsel for anything beyond a basic site. If you operate in a regulated industry, have an international audience, or collect sensitive data (health, financial, children's data), a generator-produced policy is a starting point, not a finish line.

Frequently Asked Questions

Does my small business website need a privacy policy?

Almost certainly yes. If you collect any personal information — names, emails, IP addresses through analytics, cookies — federal law, state law, and your third-party tools (Google Analytics, payment processors, email marketing) all require it. The threshold for needing a policy is far lower than most small businesses assume.

Can I copy a privacy policy from another website?

No. A policy must describe what your business actually does with personal information. Copy-pasted policies typically describe practices that don't match the business and often still reference the original company's contact details, both of which create real legal exposure. They also frequently miss required state-specific disclosures.

Are privacy policy generators good enough?

For a basic small business site, generators are a reasonable starting point — they cover the baseline disclosures and produce a usable policy. Customize the output to reflect what your business actually collects and shares, and have counsel review for regulated industries, international audiences, or sensitive data categories.

The convention is a footer link visible on every page, in legible (not tiny) type. Some forms — especially newsletter signups and account creation — should link to the policy at the point of data collection. A policy nobody can find doesn't satisfy disclosure requirements.

How often should a privacy policy be updated?

Whenever your data practices change in a meaningful way — new tools, new data categories, new sharing partners, new state-law obligations — and at least annually as a review cadence. Visible "Last Updated" dates help; stale-looking policies attract scrutiny.

Bottom Line

A privacy policy isn't optional for a commercial small business website in 2026 — it's a baseline disclosure required by state law, federal sectoral law, and the terms of nearly every tool your site uses. The version that protects you is the one that actually matches what your business does. Generic copy-pasted policies are worse than no policy in some ways because they document practices you don't have and miss disclosures you owe.

At Nerd Stack, every site we build ships with a privacy posture that reflects the real tools and data flows — and we coordinate with your counsel for the legal text. Book a free call if you'd like a candid look at where your site stands.

Sources: IAPP — US State Privacy Legislation Tracker; California Attorney General — CCPA; FTC — Children's Online Privacy Protection Rule.