If your website collects any personal information — even just names and email addresses through a contact form — you likely need a privacy policy, and you should have clear terms of service too. A privacy policy tells visitors what data you collect and what you do with it, and in a growing number of states it's a legal requirement, not just good practice. Terms of service set the rules for using your site or buying from you. Neither page is exciting to write, but skipping them is one of the most common — and most avoidable — mistakes small online businesses make.
Do you actually need a privacy policy?
If you collect personal information from visitors — through contact forms, email signups, analytics cookies, order forms, or account creation — the honest answer is almost always yes. A growing number of states now have their own comprehensive privacy laws (California was first, and by 2026 close to twenty other states, including Colorado, Virginia, Connecticut, and others, have followed with their own versions). These laws differ in exactly who they cover — some apply based on how many residents' data you handle or how much of your revenue comes from selling data — and the details change as legislatures act. You cannot assume your business is too small to be covered, and you cannot assume it's covered the same way in every state.
Separately, under the FTC Act, if you make privacy promises to visitors — on your site, in an app, or anywhere else — you're legally required to keep them, and you have a general obligation to handle personal data with reasonable security even without making explicit promises. The Federal Trade Commission is the main federal enforcer here and publishes free guidance for businesses of any size at ftc.gov/business-guidance/privacy-security.
What to do: Because privacy-law coverage varies by state and changes over time, check your own state attorney general's website and, if you're based in or sell to California residents, the California Privacy Protection Agency's site for the current rules that apply to your business. Do not rely on a single national checklist — verify it applies to your situation.
What a privacy policy actually needs to disclose
Requirements vary by state and by the type of data involved, but a solid privacy policy typically explains, in plain language:
What information you collect — names, emails, payment details, location, device or browsing data, and anything collected automatically through cookies or analytics tools.
How you collect it — forms, cookies, third-party tools (payment processors, email platforms, analytics, advertising pixels).
Why you collect it and how you use it — fulfilling orders, marketing, improving the site, and so on.
Who you share it with — payment processors, shipping companies, email or analytics vendors, and whether you ever sell or share data for advertising.
What rights visitors have — many state laws now give residents the right to see, correct, delete, or opt out of the sale of their data, and to not be discriminated against for exercising those rights.
How to contact you with privacy questions or requests.
Whether you knowingly collect data from children. The federal Children's Online Privacy Protection Act (COPPA) imposes special rules — including parental-consent requirements — if your site is directed at children under 13 or you know you're collecting their data. If that could apply to you, review the FTC's COPPA guidance before you do anything else.
If you have visitors from the European Union or the United Kingdom, their privacy rules (the GDPR and the UK GDPR) can apply even though you're a U.S. business, if you're offering goods or services to people there or monitoring their behavior. Those frameworks add their own disclosure and consent requirements, particularly around cookies and international data transfers. If you have a meaningful number of EU or UK visitors or customers, that's worth a conversation with an attorney who handles international privacy compliance — it's a genuinely complex area and not something to guess at.
Why copying a competitor's privacy policy is risky
It's tempting to find a similar business's privacy policy and adapt it. Resist that urge. A privacy policy is supposed to describe your actual data practices — what you specifically collect, which specific third-party tools and vendors you specifically use, and which specific state and international laws apply to your business given where your customers are. A copied policy will describe someone else's practices, which means it may promise things you don't actually do (creating FTC exposure if you don't live up to your own stated promises) or fail to disclose something you do that the law requires you to disclose. It also may be missing coverage for a state law that applies to you but didn't apply to whoever wrote the original. A privacy policy that's wrong for your business is arguably worse than having none — because now you've made false representations about your practices.
Cookies and tracking
Most small business sites use cookies for things like shopping carts, login sessions, analytics, or advertising. Several state privacy laws and the EU/UK rules require you to disclose cookie use and, particularly for the EU/UK and for "sale or sharing" of data under some state laws, to get consent or offer a clear opt-out before non-essential cookies run. If your analytics or advertising tools use tracking pixels or third-party cookies, say so plainly in your privacy policy and, if required for your audience, use a cookie-consent banner. Because exactly when consent (versus disclosure) is required depends on which state or country your visitor is in, check current guidance for the states and countries where your visitors actually are rather than assuming one rule covers everyone.
Email marketing: the CAN-SPAM basics
If you send marketing or promotional emails — including a newsletter with any promotional content — the federal CAN-SPAM Act applies, regardless of your business size. Its core requirements, per the FTC's compliance guide, are:
Don't use false or misleading "From," "To," or routing information — the sender must be accurately identified.
Don't use deceptive subject lines that misrepresent the email's content.
Clearly identify the message as an advertisement if it is one.
Include your valid physical postal address in the email.
Give recipients an easy way to opt out of future emails, and honor opt-out requests promptly — the FTC guide describes a specific window for processing them, so check the current rule at ftc.gov before relying on any particular number of days.
Don't sell or transfer email addresses after someone has opted out.
CAN-SPAM penalties are calculated per violating email, so a single bad email blast to a large list can add up fast. The FTC's compliance guide at ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business is the authoritative source — read it directly rather than a secondhand summary.
Terms of service
A terms of service (or "terms of use") page is a contract between you and anyone who uses your site or buys from you. It's not usually a separate legal mandate the way a privacy policy can be, but it's one of the most useful documents a small business can have, because it lets you set the rules up front instead of arguing about them after a dispute. A reasonably complete terms of service typically covers:
Who may use the site (age requirements, account rules).
Rules for any user-generated content, reviews, or comments.
Ownership of your site's content, trademarks, and images (keep this at a plain-language level; if trademark protection itself is a concern, that's a separate step through the U.S. Patent and Trademark Office).
Payment terms, pricing, and any subscription or auto-renewal terms — auto-renewal in particular is an area several states and the FTC regulate closely, so disclose it clearly and make cancellation easy.
A limitation of liability and disclaimer of warranties, describing what you are and are not promising.
How disputes will be handled — for example, informal resolution first, and whether small claims court or another forum applies.
Your governing law and how the terms may change over time.
Disclaimers and return policies
If you sell products or services, a clear return, refund, or cancellation policy protects both you and your customers by setting expectations before a dispute happens. If you give any kind of advice, recommendations, or information content (not just physical goods), a disclaimer clarifying that your content is general information and not professional advice in whatever field you're in can help manage expectations and reduce disputes. State consumer-protection rules on returns, warranties, and advertising claims vary, so if returns or refunds are a significant part of your business, it's worth confirming your policy matches your state's consumer-protection requirements.
What to do — getting your legal pages in place
Inventory what data you actually collect — forms, cookies, payment processors, email tools, analytics — before writing anything.
Identify where your visitors and customers are — which states, and whether you have meaningful EU/UK traffic — since that drives which laws apply to you.
Draft a privacy policy that describes your actual practices, not a generic or copied one.
Draft terms of service covering use rules, payment, liability limits, and dispute handling.
Add a return/refund policy and any needed disclaimers if you sell goods, services, or advice.
Set up CAN-SPAM-compliant email practices before you send your first marketing email.
Revisit all of it periodically — state privacy laws are changing frequently, and a policy that was accurate last year may not be this year.
Have an attorney review the final pages, especially if you handle sensitive data (health, financial, children's information) or have significant out-of-state or international traffic — templates and general guides like this one can get you oriented, but they can't account for your specific business and audience.
Flag this clearly: exactly which state privacy laws apply to your business, what they require you to disclose, and any deadlines for responding to a visitor's data request all vary by state and change over time. Confirm the current rules for your situation with your state attorney general's office or privacy agency, and with the FTC at ftc.gov for federal rules like CAN-SPAM and COPPA, before you rely on any specific requirement.
This article is general information, not legal, tax, or financial advice, and reading it does not create an attorney-client relationship.
Frequently asked questions
Do I really need a privacy policy if I'm just a small one-person online shop?
If you collect any personal information — even just an email address through a contact form — you probably do. Privacy-law coverage depends on your state, how many people's data you handle, and whether you sell or share data, so check your state's current rules rather than assuming your size exempts you.
Can I just copy a competitor's privacy policy or terms of service?
No. A privacy policy has to describe your actual data practices and the specific laws that apply to your business. Copying someone else's can leave out disclosures you legally need, or make promises about your practices that aren't true — which can create its own legal exposure.
Do I need to worry about European privacy law (GDPR) if I'm a U.S. business?
You might, if you have visitors or customers in the EU or UK and you're offering them goods or services or tracking their behavior online. If that describes your business in a meaningful way, it's worth a conversation with an attorney who handles international privacy compliance.
What happens if I send marketing emails without following CAN-SPAM?
The FTC can pursue penalties calculated per violating email, so noncompliance can get expensive quickly, especially with a large list. Review the FTC's CAN-SPAM compliance guide before sending your first marketing email.
Is a terms of service page legally required?
Usually it isn't a specific statutory mandate the way a privacy policy can be, but it's still one of the most useful protections a small business can have, since it sets the rules for using your site and buying from you before any dispute arises.
This article is general legal information, not legal advice, and may not reflect the most current law or the law in your jurisdiction. Laws vary by state and change over time. For advice about your specific situation, consult a licensed attorney.
Knowing your rights is the first step
Join thousands committing to calmly and consistently exercise their constitutional rights.