What Happens If You Don't Have a Privacy Policy?

Most small businesses and indie founders don't have a privacy policy because they think the risk is too small to worry about. Here's what the actual risk looks like.

The legal position

Under UK GDPR, a privacy policy isn't optional. If you collect any personal data — which includes emails, IP addresses, names, or anything tracked via analytics — you're legally required to provide a privacy notice that tells users what you're doing with their data.

Operating without one is a breach of data protection law. Full stop.

What can actually happen

ICO complaints

The UK's Information Commissioner's Office (ICO) can receive complaints from your users. If someone signs up to your product, doesn't know how their data is used, and files a complaint — the ICO can investigate. For a business with no privacy policy at all, the outcome is not good.

Fines

ICO fines for GDPR violations can reach £17.5 million or 4% of annual global turnover, whichever is higher. In practice, fines at that scale are for large organisations.

For small businesses and individuals, the ICO typically issues enforcement notices and reprimands first. But formal enforcement actions are public — they appear on the ICO's register. That damages trust and reputation.

Enforcement action example

The ICO has taken enforcement action against sole traders and micro-businesses — not just corporates. If a complaint is made and you have no privacy policy, you've made the ICO's job very easy.

The practical risks beyond regulation

App store rejection. If you're submitting to the Apple App Store or Google Play, a privacy policy URL is mandatory. No privacy policy = no listing.

Payment processor requirements. Stripe requires a privacy policy to be live on your site. PayPal does too. Operating without one can result in account suspension.

B2B deals blocked. Enterprise customers run vendor due diligence. If you have no privacy policy, they won't sign. A single missed contract can cost more than a year of compliance work.

Loss of user trust. More users check privacy policies than you'd expect — especially in the UK and EU. A missing policy signals that you haven't thought about data, which raises red flags at the purchase stage.

"I'm too small for anyone to care"

The compliance risk does scale with size. The ICO prioritises complaints against large organisations. But:

• Complaints can come from anyone, regardless of company size
• Your competitors can report you
• Regulatory risk increases every time you grow — and if you've never had a policy, the history of non-compliance doesn't disappear

Getting compliant now, while small, costs almost nothing and creates no negative consequences.

How long does it take to get one?

Less than an hour using InkTerms. Answer questions about your product, download a personalised privacy policy, paste it into your website. Done.

The risk of not having one far outweighs the five minutes it takes to get it sorted.

Need this document for your business? InkTerms generates it in minutes — tailored to your answers, in plain English.