DOES MY WEBSITE NEED A PRIVACY POLICY? THE COMPLETE GUIDE FOR NONPROFITS, SMALL BUSINESSES & CREATIVES

Are you asking yourself “does my website need a privacy policy?” If so, these answer is a huge, resounding “Yes!” If your website collects any personal information — names, email addresses, IP addresses, cookies, you need a privacy policy along with a few other key policies that cover things like cookies, terms, and accessibility. And if you're running a nonprofit, community organization, small business, or creative practice with a website, chances are you're collecting that information whether you realize it or not.

You don’t need to be perfect or have a lawyer on retainer. Here, you’ll gain a basic understanding of what's required, why it matters, and how to handle it without making it harder than it needs to be. Because here's the thing, legal pages aren't optional. They are require by law and protect your organization, your community, and the people who trust you with their information.

Let's break down what you actually need, why it matters, and how to make it happen.

THE LEGAL LANDSCAPE, WHAT THE LAW REQUIRES AND WHY

The legal requirements around website privacy aren't new, but they've gotten more specific and more enforceable in recent years. Here's what you need to know, in plain terms.

GDPR (GENERAL DATA PROTECTION REGULATION)

Who it applies to: Any website with visitors from the European Union, regardless of where your organization is based.

What it requires: A clear privacy policy that explains what data you collect, why you collect it, how you use it, and how people can request deletion or access to their data. You also need explicit consent for non-essential cookies.

Key point: "EU visitors" means anyone accessing your site from the EU. You don't have to be a giant international org. A small Portland nonprofit with a donor in Germany? GDPR applies. A food blogger sharing recipes with users in Europe? GDPR applies.

CCPA/CPRA (CALIFORNIA CONSUMER PRIVACY ACT / CALIFORNIA PRIVACY RIGHTS ACT)

Who it applies to: Businesses and organizations that collect personal data from California residents. Nonprofits are generally exempt unless they're doing commercial activity or meet certain revenue thresholds.

What it requires: A privacy policy that discloses what personal information you collect and how it's used. California residents have the right to request deletion and opt out of data sales.

Key point: If you run an online shop, sell tickets to events, or operate any kind of e-commerce — even as a nonprofit — you might fall under CCPA.

STATE PRIVACY LAWS (VIRGINIA, COLORADO, CONNECTICUT, UTAH AND GROWING)

Who it applies to: Organizations collecting data from residents of these states. Requirements vary by state but follow similar principles to CCPA.

What it requires: Privacy policies, data access rights, and in some cases, opt-out mechanisms.

Key point: More states are passing privacy laws every year. The trend is toward more regulation, not less.

ADA (AMERICANS WITH DISABILITIES ACT)

Who it applies to: Nonprofits, businesses, and public accommodations — which increasingly includes websites.

What it requires: Accessible websites. While there's no explicit federal law requiring an accessibility statement, having one demonstrates good faith effort and helps clarify your commitment to accessibility.

Key point: Nonprofits, small businesses, and creatives have been sued under the ADA for inaccessible websites. An accessibility statement isn't legal protection, but it shows you're taking it seriously.

FTC (FEDERAL TRADE COMMISSION)

Who it applies to: Any U.S.-based website collecting personal information.

What it requires: Privacy policies that accurately describe your data practices. Misleading or absent privacy policies can result in FTC enforcement actions.

Key point: The FTC has gone after small businesses and startups, not just big corporations. If you say you don't sell data but you do, that's a problem.

REAL CONSEQUENCES, WHAT COULD REALLY HAPPEN IF YOU DON’T HAVE POLICIES IN PLACE

Let's be clear, most small organizations, nonprofits, and creatives aren't getting massive fines for missing a privacy, cookies, terms, or accesibility policy. But the risks are real, and they go beyond money.

FINANCIAL PENALTIES

GDPR fines can reach significant amounts. CCPA violations can result in fines per violation, which adds up fast if you're collecting data from multiple California residents. Even if you're small, regulatory bodies are increasingly willing to enforce these laws.

LAWSUITS

The ADA has become a common basis for website accessibility lawsuits. Nonprofits have been targeted specifically because they're seen as public accommodations. Missing accessibility statements won't prevent a lawsuit, but having one shows you're aware and working on it.

LOSS OF TRUST

This one matters more than fines. If someone finds out you've been collecting their information without a privacy policy, or if you're not transparent about what you do with their data, you lose credibility. For nonprofits relying on donor trust, community organizations building relationships, or creatives cultivating loyal audiences, trust is everything.

PLATFORM PENALTIES

Google Ads, Facebook, and other platforms require privacy policies to run ads. No policy? No ads. Some email marketing platforms and payment processors also require them before you can use their services.

WHAT YOU ACTUALLY NEED

Not every website needs every legal page, but most modern sites need at least a few. Here's the breakdown.

PRIVACY POLICY

You need this if: Your website collects any personal data. This includes:

• Contact forms (name, email, phone number)
• Newsletter signups
• E-commerce transactions
• User accounts or logins
• Analytics tools like Google Analytics (which track IP addresses and browsing behavior)
• Embedded social media feeds or share buttons
• Cookies of any kind

What it should include:

• What data you collect (email addresses, IP addresses, payment info, etc.)
• Why you collect it (newsletter, processing donations, improving user experience)
• How you use it (send updates, process payments, analyze traffic)
• Who you share it with (email platforms, payment processors, analytics tools)
• How people can request access, correction, or deletion of their data
• How long you keep data
• Security measures you take to protect data

Real talk: If you have a contact form and Google Analytics, you're collecting personal data. You need a privacy policy.

COOKIE POLICY

You need this if: Your website uses cookies. Most sites do, even if you didn't explicitly set them up.

What creates cookies:

• Analytics tools (Google Analytics, Plausible, Fathom)
• Embedded videos (YouTube, Vimeo)
• Social media widgets (Instagram feeds, Facebook like buttons)
• Advertising platforms (Google Ads, Facebook Ads)
• CRM integrations (Mailchimp, HubSpot)
• E-commerce platforms (Shopify, WooCommerce, Squarespace Commerce)

What it should include:

• What cookies your site uses
• Why you use them (analytics, advertising, functionality)
• Whether they're first-party (your site) or third-party (external services)
• How users can manage or disable cookies

Cookie consent: Under GDPR, you need explicit consent for non-essential cookies. That means cookie banners aren't just annoying—they're legally required for EU visitors. More on tools for this below.

TERMS OF SERVICE (TERMS OF USE)

You need this if: You want to protect your organization from liability or define acceptable use of your website.

When it's especially important:

• You have user-generated content (comments, forums, reviews)
• You sell products or services online
• You host events or memberships with specific terms
• You want to limit your liability for how people use your content

What it should include:

• Acceptable use (what people can and can't do on your site)
• Intellectual property rights (who owns the content)
• Disclaimers (limitations of liability)
• Dispute resolution (how conflicts are handled)

Real talk: Terms of Service aren't legally required, but they're smart protection. If someone uses your content in a way you didn't intend, or if a transaction goes wrong, Terms of Service clarify the boundaries.

ACCESSIBILITY STATEMENT

You need this if: You want to demonstrate your commitment to accessibility and reduce legal risk.

What it should include:

• Your commitment to accessibility
• Accessibility standards you're working toward (like WCAG 2.1 Level AA)
• Known limitations or issues you're addressing
• Contact information for accessibility concerns
• Timeline for improvements (if applicable)

Real talk: An accessibility statement won't prevent a lawsuit, but it shows good faith effort and gives users a way to report issues before escalating to legal action.

COOKIE CONSENT TOOLS, MAKE COMPLIANCE EASIER

If your website uses cookies — and it probably does — you need a way to manage consent, especially for EU visitors under GDPR.

FOR WORDPRESS SITES

Popular plugins:

• CookieYes (GDPR Cookie Consent): Free and paid tiers, easy setup, scans your site for cookies
• Complianz: Comprehensive, handles GDPR, CCPA, and other regulations
• Cookie Notice & Compliance for GDPR / CCPA: Lightweight, solid free option

How they work: These plugins scan your site for cookies, generate a cookie policy, and display a consent banner. Users can accept, reject, or customize which cookies they allow.

FOR SQUARESPACE SITES

Built-in tools: Squarespace has a built-in cookie banner feature (Settings → Cookies & Visitor Data). You can customize the message, link to your privacy policy, and enable GDPR-compliant opt-in/opt-out.

Limitations: Squarespace's built-in banner is basic. For more control or multi-regulation compliance (GDPR + CCPA), you might integrate a third-party tool via code injection.

FOR OTHER PLATFORMS

• Shopify: Apps like Pandectes GDPR Compliance or Cookie-Script
• Wix: Built-in cookie banner in Site Settings
• Webflow: Integrate third-party tools like Osano or Termly via custom code

Key takeaway: Most platforms have either built-in tools or easy plugin integrations. You don't need to code this from scratch.

ONE LEGAL PAGE VS. MULTIPLE PAGES, WHAT I RECOMMEND

You'll see websites handle legal pages in different ways. Some have separate pages for Privacy Policy, Terms of Service, Cookie Policy, and Accessibility Statement. Others combine everything into one "Legal" page with clear sections and hyperlinks.

My approach: One page with clear sections.

Why it works:

• Easier to maintain: Update one page instead of four
• User-friendly: Everything's in one place with jump links
• SEO-neutral: Google doesn't penalize combined legal pages
• Less clutter: Keeps your footer links clean

How to structure it:

1. Create a single "Legal" or "Privacy & Legal" page
2. Use clear headings for each section:

• Privacy Policy
• Cookie Policy
• Terms of Service
• Accessibility Statement

1. Add a table of contents at the top with anchor links to each section
2. Link to this page from your footer

When to use separate pages:

• Your privacy policy is especially long (e.g., complex data practices, multiple services)
• Platform or legal counsel requires it
• You want to track analytics on individual policy pages

Real talk: Unless you have a specific reason to split them up, one well-organized page is simpler and just as compliant.

HOW TO CREATE THESE PAGES: FREE & PAID TOOLS + WHEN TO HIRE A LAWYER

The good news: you don't need to hire a lawyer to create basic legal pages. The better news: there are solid tools that make this easy.

WHEN TO USE A GENERATOR TOOL (LIKE TERMLY)

Use a free or paid generator when:

• Your data practices are straightforward (contact forms, analytics, email marketing)
• You're a small nonprofit, community org, or creative with a basic website
• You're collecting standard information (names, emails, payment data)
• You're not selling user data or doing anything complex with it

Recommended tool: Termly

• Free tier: Privacy policy, terms of service, cookie policy, and accessibility policy generators
• Paid tier (~$10-20/month): Auto-updating policies, cookie consent management, compliance scanning
• Why I like it: Plain-language questions, clear outputs, handles GDPR and CCPA

How to use a generator:

1. Answer questions about your website (what data you collect, what tools you use, etc.)
2. Generate the policy text
3. Customize it to reflect your actual practices (don't just copy-paste—make sure it's accurate)
4. Add it to your website

Important: Even with a generator, you need to update your policies when your practices change. Added a new analytics tool? Update your privacy policy. Started selling products? Update your terms.

WHEN TO HIRE A LAWYER

Hire a lawyer when:

• You're handling sensitive data (health information, financial data beyond basic payment processing, children's data)
• You're doing complex data sharing or selling
• You're in a highly regulated industry (healthcare, finance, education)
• Your organization is large enough that enforcement risk is higher
• You're creating custom terms for complex services, memberships, or intellectual property licensing
• You've received a legal notice or complaint

For nonprofits: If you're receiving federal funding or handling donor data at scale, it's worth having a lawyer review your policies even if you use a generator to create the first draft.

For small businesses and creatives: If you're selling digital products, running a membership site, or licensing creative work, custom Terms of Service drafted by a lawyer can save you headaches later.

Real talk: Most small organizations don't need custom legal documents from day one. Start with a generator, be honest about your practices, and upgrade to legal counsel as you grow or your needs get more complex.

HOW I HANDLE LEGAL PAGES IN CLIENT WEB DESIGN PROJECTS

When I build websites for clients — whether it's a nonprofit, community organization, small business, or creative — I always include the page builds for Privacy Policy, Terms of Service, Cookie Policy, and Accessibility Statement.

What that means:

• I create the actual pages on your site
• I set up the structure, formatting, and navigation
• I link them properly in your footer and wherever else they're needed

What I don't do:

• Write the policy content itself (that's your responsibility or your lawyer's)

Why this approach works:

• You're not paying me for legal advice I'm not qualified to give
• You have full control over the accuracy of your policies
• You can use a free tool like Termly, hire a lawyer, or do a combination
• The pages are ready to go as soon as you have the content

What I recommend to clients:

1. Use Termly (or similar) to generate your policies
2. Customize the generated text to match your actual practices
3. I implement on your site
4. Review and update at least once a year or whenever your data practices change

If your situation is more complex — handling sensitive data, operating in a highly regulated space, or managing significant legal risk — I'll recommend you work with a lawyer and I'll coordinate with them to make sure the site structure supports whatever policies they create.

ACTION STEPS, DO THIS TODAY!!

Here's what to do right now to get your legal pages in order:

Audit what you collect: Make a list of every way your website collects data (contact forms, analytics, cookies, newsletter signups, e-commerce, etc.)

Check what you have: Do you already have a privacy policy? Terms of service? Are they accurate and up to date?

Create or update your policies:

• Go to Termly.io (or another generator)
• Answer the questions honestly based on your audit
• Generate your privacy policy, cookie policy, and terms of service
• Customize the text to reflect your actual practices

Add an accessibility statement: Use Termly or write your own based on your commitment to accessibility

Set up cookie consent: Install a cookie banner plugin (WordPress) or enable the built-in tool (Squarespace) if you have EU visitors

Create or update your legal page:

• Add all policies to one page with clear headings
• Include a table of contents with anchor links
• Link to it from your footer

Schedule a yearly review: Set a calendar reminder to review and update your policies annually or whenever your practices change

Tell your team: Make sure anyone who manages your website or handles data knows these policies exist and where to find them

NEED A WEBSITE BUILT RIGHT FROM THE START?

Legal pages should be part of your site from day one, not something you scramble to add later. When I design websites for nonprofits, community organizations, small businesses, and creatives, I build in the structure for privacy policies, terms of service, cookie compliance, and accessibility from the ground up — so you're starting with a solid, legally sound foundation.

If you're building a new site or redesigning an existing one, let's make sure it's done right.

The bottom line: Privacy policies, cookie policies, terms of service, and accessibility statements are more than legal requirements. They show brand integrity and protect the people who trust you with their information. These pages don't have to be complicated, expensive, or overwhelming. They just need to exist, be accurate, and reflect how you actually operate.