Do I need Terms and Conditions on my small-business website?
Published 28 June 2026 · 4 min read
Strictly speaking, UK law does not require every business website to have Terms and Conditions. But if your site takes payments, collects personal data, or lets people book or enquire, there are pages you are legally required to have, and others that protect you even when not legally required. Here is a plain-English answer to what you need, and why getting it right matters more than most small businesses realise.
Note: this article is general guidance, not legal advice. If your site has complex terms or you are unsure about your specific situation, speak to a solicitor.
What does UK law actually require?
If you sell goods or services online to consumers, the Consumer Rights Act 2015 and the Consumer Contracts Regulations 2013 both apply. You must give clear information about the price, your business identity, the buyer's right to cancel, and the terms of the sale before purchase takes place. A Privacy Policy is required by UK GDPR the moment you collect any personal data, including names and email addresses submitted through a contact form. A Cookie Notice is required if your site uses any non-essential cookies, including analytics trackers. A full Terms and Conditions page is not strictly required by law for a site that only collects contact enquiries with no payments. In practice, though, it is still a sensible addition.
Do I need T&Cs if I sell products or services online?
Yes. If someone can pay you through the site, you need terms that set out what the buyer is agreeing to: what they receive, what happens if there is a problem, and how disputes are handled. Without that, you are relying on the defaults in consumer law, which are not always in a business owner's favour. A solicitor can draft these properly for your sector, but for most small-business sites a straightforward, plain-English set of T&Cs is enough to give you a clear paper trail if a dispute ever arises.
Do I need a Privacy Policy?
Yes, in almost every case. UK GDPR makes a Privacy Policy mandatory if you collect any personal data, and for most sites that threshold is crossed the moment a contact form exists. Your Privacy Policy needs to explain what data you collect, why you collect it, how long you keep it, and who you share it with, including any third-party tools such as analytics platforms, form providers, or email services. It does not need to be long, but it does need to be accurate. If your site uses Google Analytics, Tally forms, or any email marketing tool, all of those need to be named. A Privacy Policy written for a site that uses none of those tools but which actually uses all of them is worse than no policy at all, because it is misleading.
What if I only have a contact form?
A contact form still collects personal data. Name and email address are enough to trigger the UK GDPR requirement for a Privacy Policy. A full T&Cs page is not legally required in that case, but it is still worth having as a single place that sets out how you work: how you respond to enquiries, your payment terms if a client proceeds, what is included in your service and what is not, and how someone can raise a concern. It protects you in disputes and signals to careful customers that the business is properly run, which matters in higher-value service sectors.
What about cookies?
If your site uses any non-essential cookies, such as analytics, advertising pixels, or embedded videos from YouTube, you need a cookie notice that gives visitors the choice to accept or decline them before those cookies are set. If your site uses only essential cookies (session management, form security tokens), no notice is required. Many hand-coded small-business sites have very few cookies at all. It is worth checking what your site actually sets before adding a consent banner. The banner itself is not the legal requirement; transparency about what the site places on a visitor's device is.
A practical checklist.
- Contact form only, no payments: Privacy Policy required. T&Cs not legally required but advisable.
- Online sales or bookings: Privacy Policy required. T&Cs legally required covering price, cancellation and dispute handling.
- Analytics or third-party scripts: Cookie notice required. Name every tool in your Privacy Policy.
- No analytics, no payments, no embedded third-party content: Privacy Policy still required if you have a contact form.
At Simpllous, every site we build includes a Privacy Policy as standard, written for the specific stack and data the site uses. Our own Terms and Privacy Policy are linked in the footer of every page as an example of what these pages should look like for a small service business. If you need a site that covers the legal basics properly from day one, the contact page is the place to start.
Common questions.
Is it a legal requirement to have Terms and Conditions on a UK website?
Not for every site. If you sell goods or services online to consumers, you are legally required to set out the terms of sale before purchase under the Consumer Contracts Regulations 2013. For a site that only collects contact enquiries and does not take payments, T&Cs are not strictly required by law, but they are still advisable as they protect you in disputes.
Do I need a Privacy Policy if I only have a contact form on my website?
Yes. A contact form collects personal data, at minimum a name and email address, which brings you under UK GDPR. A Privacy Policy explaining what you collect, why, how long you keep it, and who you share it with is a legal requirement even if the form is the only data collection on the site.
What happens if I do not have a Privacy Policy on my website?
You are technically in breach of UK GDPR, which carries potential fines from the ICO. In practice, enforcement against a small business with a contact form is rare, but the reputational cost with informed customers is real. A Privacy Policy takes very little time to add properly, so there is little reason to leave it out.
Want a site that gets the legal basics right from day one?
Every Simpllous build includes a Privacy Policy matched to the site's actual stack. Tell us what your business needs and we will show you what that looks like.