Omnyra
Login
Back to blog

Privacy Policies and Terms for Small Business Sites

6/11/2026

Why small business websites need a privacy policy and terms page, what each one covers, and when your forms and analytics quietly create obligations.

Scroll to the bottom of almost any website and you'll find the same two links: Privacy Policy and Terms of Service. Most small business owners assume those pages are for big companies, copied them from somewhere years ago, or skipped them entirely. Then a payment processor, an ad platform, or a lead vendor asks for the privacy policy URL, and the scramble begins.

This post explains what those pages are, why a five-page contractor site usually needs at least one of them, and where the obligations actually come from. One thing up front, stated plainly because it matters: this is general information, not legal advice. Privacy law varies by state, changes frequently, and depends on details of your specific business. The right move at the end of this article is the same as at the beginning: have an attorney review your pages. What this article does is make that conversation shorter and cheaper, because you'll walk in knowing what you're asking for.

Why these pages exist at all

A privacy policy and a terms page solve two different problems.

A privacy policy answers one question for your visitors: what happens to information about me on this site? What you collect, how you use it, who you share it with, how long you keep it, and how someone can ask about theirs. It's a disclosure document. Its job is to tell the truth about your actual practices.

A terms of service page (also called terms of use or terms and conditions) sets the rules of the road for using your site. It's where businesses put things like: the content here is general information and not a binding quote, we own the photos and text on this site, here's the state whose laws govern disputes, here's our liability disclaimer. For a simple brochure site, terms are the less urgent of the two. They matter more as your site does more: online booking, payments, customer accounts, user-submitted content like review widgets or photo uploads.

For most local service businesses, the privacy policy is the one carrying real weight, so that's where we'll spend most of this article.

"But I don't collect any data." You almost certainly do

This is the most common objection, and it's almost always wrong, not because owners are careless but because the collection is invisible from where they sit. Walk through your own site:

  • Contact and quote forms. Name, phone, email, address, project description. That's personal information, full stop, and it's the most obvious category.
  • Analytics. If Google Analytics or any similar tool runs on your site, data about visitors (device, pages viewed, rough location, identifiers used to distinguish visitors) is being collected and shared with the analytics provider. You didn't write that code, but it's running on your site at your direction.
  • Advertising pixels. A Facebook pixel or Google Ads tag tracks visitor behavior to measure campaigns and build retargeting audiences. This is sharing data with ad platforms in the way many privacy laws specifically care about.
  • Call tracking and chat widgets. Dynamic number swaps, chat boxes, AI receptionists: all of them process visitor information through third parties.
  • Online booking and payments. Scheduling tools and payment processors handle names, addresses, and card details, and virtually all of them contractually require you to post a privacy policy as a condition of using their service.
  • Email and SMS signups. If you collect numbers for appointment reminders or run any kind of text follow-up, disclosure rules and carrier requirements both come into play, and carriers increasingly check that your site's policy describes your texting program before approving your messaging registration.

Notice the pattern: the moment a site has a form or an analytics tag, which is to say the moment it's a functioning business website at all, information is flowing. The privacy policy is simply the page that tells the truth about that flow.

Where the obligations come from

There's no single federal law that says "every U.S. website must have a privacy policy." The obligations arrive from several directions at once, which is why the answer to "am I required to have one?" is usually "in practice, yes," even when no single statute names your business.

  • State privacy laws. California led the way and a growing list of states have followed with comprehensive privacy laws. Many of them have thresholds based on revenue or the number of people whose data you process, so a small local outfit may fall under some and outside others. Thresholds change, states keep adding laws, and "we're probably under the threshold" is a question for your attorney, not a settled fact. California's longstanding online privacy law, notably, has a very low bar: it applies to operators of commercial websites that collect personal information from California residents, and your website doesn't check ID at the state line.
  • The FTC. The Federal Trade Commission polices unfair and deceptive practices, and a privacy policy that misstates what you actually do is a classic deceptive practice. This cuts in an underappreciated direction: a copied, inaccurate policy can be worse than no policy, because now you've made promises you're breaking. The FTC's privacy and security guidance for businesses at ftc.gov is written for non-lawyers and worth a skim.
  • Contracts you've already signed. Google Analytics' terms require sites using it to post an appropriate privacy policy. So do Google Ads policies, Meta's advertising terms, most payment processors, and most booking platforms. You agreed to these when you clicked through their signup. This is the quiet reason most small sites are already contractually obligated to have a policy regardless of what any legislature says.
  • Specific federal rules for specific situations. Collecting information from children under 13 triggers COPPA. Health information can implicate other rules. Email marketing has CAN-SPAM; texting has TCPA and carrier registration requirements. None of these are blanket website laws, but each one reaches certain things a website does.

If you want a general orientation to small business legal basics beyond the website, the SBA maintains plain-language resources at sba.gov.

What a privacy policy actually covers

Strip away the legalese and a competent small business privacy policy answers a short list of questions:

  • What we collect. Form submissions, analytics data, cookies, call recordings if you record, payment information if you take it.
  • How we collect it. Directly from you when you fill out a form; automatically via cookies and similar technologies when you browse.
  • Why we collect it. To respond to inquiries, schedule service, measure advertising, improve the site.
  • Who we share it with. Service providers like analytics, advertising, scheduling, and payment platforms, named by category and ideally by name.
  • How long we keep it, even if the honest answer is a general statement of practice.
  • Choices and rights. How someone can opt out of marketing, request their information, or ask you to delete it, and how rights under applicable state laws are handled.
  • How to contact you with questions, and the date the policy was last updated.

A terms page, for its part, typically covers: the site content is provided as-is and isn't professional advice or a binding offer, intellectual property ownership, acceptable use, limitation of liability, and governing law. If your site takes bookings or payments, the terms get more substantive and more worth real legal attention, the same way your customer-facing paperwork already is.

The copy-paste temptation, and why templates are a starting point at best

Every owner's first instinct is to copy a competitor's policy and swap the names. Understand precisely what's wrong with that: their policy describes their data practices. If they don't run call tracking and you do, your copied policy now misdescribes your site. If they're subject to a state law you're not, you've imported obligations; if the reverse, you've omitted required disclosures. And as noted above, the FTC's concern is whether your stated practices match your actual ones. A policy that lies, even by accident and even by inheritance, is its own problem.

Generators and templates are more defensible as a starting point, and plenty of small businesses use them. The honest framing: a good generator gets you a document shaped like the truth, and an attorney review is what confirms it actually is the truth for your business and your states. That review, for a simple service business site, is typically a modest, bounded piece of legal work, not a retainer. Compared to what owners spend on the website itself, it's a rounding error, and it's the kind of item worth specifying when you hire a builder, right alongside the protections in our website contract red flags checklist.

Two practical notes on implementation:

  • Link both pages in your footer, sitewide. That's the convention everyone, including regulators, platforms, and carrier registration reviewers, expects. Buried pages don't count for much.
  • Revisit the policy when your site changes. Added a chat widget, a pixel, an SMS follow-up sequence, online payments? Each one is a data practice your policy should reflect. The policy is a living description, not a one-time artifact.

What this looks like in the real world

When we build sites for service businesses, the legal pages conversation takes about ten minutes: here's what your site actually collects given the form, analytics, and tracking we're installing; here's a policy structure that describes it; here's our standing recommendation to have your attorney look it over before or shortly after launch, which most owners handle in a single short engagement. Then it's done, the footer links exist, and the next time Stripe or Google or a Twilio messaging registration asks for the privacy policy URL, you paste a link instead of losing a week.

That's really the goal. Not legal perfection on day one, but truthful pages, in place, reviewed by someone licensed to review them, that keep platforms happy and customers informed.

Want the whole site, legal pages included, handled in a week?

We build done-with-you websites live on a call with you: you talk, we build, you watch it happen. First draft in 24 hours. Live in 7 days, guaranteed. Every tier from $500 includes hosting and the secure-padlock certificate, plus footer legal pages set up to reflect what your site actually runs, with the standing advice to have your attorney give them a once-over. Pay-in-4 and Klarna available.

Veteran-owned, Wilmington, NC. 1,500+ small business sites built in the last 90 days.

Book a call or see pricing.

Privacy Policies and Terms for Small Business Sites — Omnyra