Skip to content
LegalVision UK

Do I Need More Than One Privacy Policy for My Business?

Avatar photo

By Sej Lamba

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

For a data controller, a privacy policy is a crucial document you need to comply with the UK General Data Protection Regulation (UK GDPR) rules. A privacy policy informs individuals about the personal data you process about them and why. Depending on your business and how it collects personal data, you may find providing individuals with more than one privacy policy helpful. This article will explore when you require more than one privacy policy for your business in the United Kingdom. 

What Is a Privacy Policy and Why Does It Matter?

Telling individuals about how you use their personal data is a vital principle of the UK GDPR privacy law rules. 

Data controllers are organisations that decide how and why to use personal data. As a data controller, it is crucial to inform individuals about how you will process their personal data. For instance, you must tell them how and why you intend to use their telephone number, email address, or other contact information. 

Under the UK GDPR, personal data has an extensive meaning and can include all sorts of information that could identify an individual. As such, most organisations will collect and process some form of personal data as a data controller. 

By implementing comprehensive and transparent privacy policies, your business can demonstrate its compliance with the UK GDPR transparency rules and privacy laws. 

What Information Should a Privacy Policy Typically Cover?

A privacy policy needs to lay out a range of information.

For instance, some of the information your privacy policy should cover includes:

  • comprehensive information about the types of personal data you collect (e.g. contact details, names, postal address, and bank details); 
  • your purposes and the lawful basis for processing personal data; 
  • information around data security and retention periods; 
  • data sharing information, stating which third parties you share data with and whether you transfer data outside of the UK; and 
  • clear information about data subjects’ rights and the right to complain to the data protection regulator. 
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Do I Need More Than One Privacy Policy?

The answer will differ from business to business and depend on your personal data processing activities. It also depends on how you wish to present the information to individuals. 

If you operate multiple websites, you may need a separate privacy policy for each. Similarly, having a separate mobile application may warrant a unique privacy policy for the app. 

You also need to consider whether you collect personal data from distinct groups of individuals at different points. If you use their data in various ways, each group may require different privacy information. 

The essential purpose of a privacy policy is to provide individuals with clear information about intended data processing. A privacy policy should be clear, easy to understand and visible before you collect personal data. As such, different privacy policies can help your business meet its compliance obligations. 

Practical Examples

Suppose you are a famous brand manufacturing merchandise sold to end-user consumers and business resellers. Your business may collect personal data from a range of sources, for instance:

  • you may have a business-to-business website on which you collect limited personal data from potential business partners via a ‘Contact Us’ form—for example, names, email addresses, and IP addresses; 
  • you may also have a consumer-facing e-commerce website, where consumers provide various personal information so you can sell products to them; 
  • you might also have a mobile app for children to play games. Children may need to input specific personal data to register to use the app; or
  • some business customers may also simply walk into your physical shop to sign contracts with you, and you may collect their personal data in person. 

These are different instances in which you can collect personal data from various types of data subjects and for different purposes. 

As such, you may find preparing different privacy policies for each group of individuals easier and more transparent. 

Scenarios Justifying Different Privacy Policies

For example, you could prepare:

  • a simple privacy policy for business customers entering your shop and providing their data or calling you up to provide their data;
  • a more detailed website privacy policy for business customers contacting you through your business website, whereby you will collect various technical data about their devices; 
  • a more detailed website privacy policy for consumers purchasing e-commerce products on your consumer website; and
  • a child-friendly privacy policy for children using the app using child-friendly language. 

Issuing separate privacy policies can allow you to tailor each policy to the relevant audience and help you present information clearly to avoid potential confusion.  

You should also consider at what points you interact and collect data from individuals. For instance, business customers who give you their personal data at your physical shop are unlikely to see your website’s privacy policy. You are more likely to prove you informed them of their privacy rights if you issue them a physical privacy notice before you note down their details at your shop.

As such, carefully considering your privacy policies and issuing bespoke versions for different data subject groups can help demonstrate compliance.

Are Separate Privacy Policies Mandatory?

Technically, it is not mandatory to have separate privacy policies. For instance, you could choose to have one ‘global’ privacy policy, which applies to all individuals from whom you collect personal data. For example, one policy which explains how your business collects data from multiple groups of individuals in different ways. However, such a notice could become lengthy and confusing for individuals to understand. Note that your privacy policies need to be clear and accessible, and individuals should be able to understand them easily. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

If you need advice on whether you need more than one privacy policy, an experienced data protection lawyer can help. A lawyer can review your points of data collection and identify whether your business should issue more than one privacy policy or if a global policy is suitable.  

Key Takeaways

A privacy policy is a crucial UK GDPR compliance document that informs individuals about how you will process their personal data. If you collect personal data from different groups of individuals or via different means, you should consider whether you should implement more than one privacy policy. For example, a mobile app privacy policy aimed at children will look very different to a website privacy policy tailored towards sophisticated business customers. Whilst not mandatory, using more than one privacy policy can allow you to provide precise and tailored information to different groups of individuals. If you need support understanding how your business should present privacy information, you should take legal advice. 

If you need advice on your privacy policies, LegalVision’s experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers who can answer your questions and draft and review your documents. Call us today at 0808 196 8584 or visit our membership page.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Common Mistakes to Avoid in Your Privacy Policy

3 Documents Your Company Needs to Demonstrate GDPR Compliance

Are Email Disclaimers Mandatory for UK Businesses Under the GDPR?

4 Common Challenges Your Company Will Face With the GDPR in the UK

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards