Online Privacy Notice Template for England and Wales

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Online Privacy Notice?

The Online Privacy Notice is a fundamental document required by UK data protection law for any organization collecting personal data through online channels. It serves as a transparent communication tool between data controllers and data subjects, explaining data processing activities, individual rights, and compliance with UK GDPR and related legislation. This document is particularly crucial in England and Wales, where organizations must demonstrate compliance with strict data protection requirements and maintain transparency in their data handling practices.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Online Privacy Notice

An Online Privacy Notice is a critical legal document that organizations must provide when collecting personal data through websites, apps, or other digital platforms. Under England and Wales law, this document serves as your primary tool for transparency and compliance with data protection legislation, ensuring data subjects understand how their information is processed and protected.

When do you need this document?

You need an Online Privacy Notice whenever your organization collects, processes, or stores personal data through digital channels. This includes operating a business website with contact forms, running an e-commerce platform, providing online services requiring user registration, or using analytics tools that track visitor behavior. Social media businesses, subscription services, and any organization using cookies or similar tracking technologies must also implement comprehensive privacy notices. The document is equally essential for public sector organizations, charities, and private companies operating online in England and Wales.

Key legal considerations

Your Online Privacy Notice must clearly identify the categories of personal data you collect, including names, email addresses, payment information, and behavioral data. You must specify the legal basis for each processing activity, whether it's consent, legitimate interests, contract performance, or legal obligation. The notice should detail data retention periods, explaining how long you keep different types of information and the criteria for determining these periods. Third-party data sharing arrangements require transparent disclosure, including the identities of recipients and purposes of sharing. You must also outline the security measures protecting personal data and provide clear information about international data transfers if applicable. The document should explain how data subjects can exercise their rights, including access, rectification, erasure, and portability rights under UK GDPR.

Legal requirements in England and Wales

Under UK GDPR and the Data Protection Act 2018, your Online Privacy Notice must be easily accessible, written in clear and plain language, and provided at the point of data collection. The notice must be prominent and separate from other terms and conditions, ensuring data subjects can make informed decisions about their personal data. Privacy and Electronic Communications Regulations 2003 (PECR) impose additional requirements for cookies and electronic marketing, requiring specific consent mechanisms and opt-out procedures. The Consumer Rights Act 2015 adds consumer protection elements for digital services, while E-Commerce Regulations 2002 mandate certain information disclosures for online businesses. Organizations must regularly review and update their privacy notices to reflect changes in processing activities, legal requirements, or business operations. Failure to provide adequate privacy information can result in significant fines under UK GDPR enforcement, with penalties reaching up to 4% of annual global turnover or £17.5 million, whichever is higher.

GOVERNING LAW

Applicable law

This Online Privacy Notice is drafted to comply with England and Wales law. Key legislation includes:

UK GDPR: The UK General Data Protection Regulation - primary legislation governing data protection and privacy in the UK post-Brexit

Data Protection Act 2018: The UK's implementation of data protection laws, working alongside UK GDPR to provide a comprehensive data protection framework

PECR 2003: Privacy and Electronic Communications Regulations - specific rules for electronic communications, including rules about cookies and marketing communications

Consumer Rights Act 2015: Legislation protecting consumer rights that includes aspects relevant to online services and digital content

E-Commerce Regulations 2002: Electronic Commerce (EC Directive) Regulations governing online business operations and information requirements

Freedom of Information Act 2000: Legislation governing public access to information held by public authorities (relevant if the organization is a public body)

ICO Guidelines: Information Commissioner's Office guidelines and codes of practice providing authoritative guidance on data protection compliance

EDPB Guidelines: European Data Protection Board guidelines that, while not binding post-Brexit, remain influential in UK data protection practice

EU GDPR: European Union General Data Protection Regulation - relevant if serving EU customers or processing EU citizens' data

Data Subject Rights: Mandatory inclusion of information about individuals' rights regarding their personal data, including access, rectification, erasure, and portability

Cookie Requirements: Specific requirements for disclosure of cookie usage and obtaining appropriate consent

International Transfers: Requirements for disclosing and ensuring compliance with international data transfer mechanisms

Data Retention: Requirements to specify and justify data retention periods for different types of personal data

Security Measures: Obligation to describe organizational and technical measures to protect personal data

Children's Privacy: Special considerations and requirements when processing children's personal data

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it