When to update your privacy policy

Why this matters

Privacy policies must be accurate and current [1]Source 1 . If your policy does not match what you actually do, you risk legal issues and lose trust.

This guide explains when to update your privacy policy and how to keep it current.

For more on privacy policies, see privacy policies and GDPR compliance for small sites.

When you start collecting new data

If you start collecting new types of personal data, update your privacy policy and bring the change to people’s attention before you start the new processing.

Examples

• New form fields: Adding phone numbers, addresses, or other personal data to forms.
• Newsletter sign-ups: Starting to collect email addresses for marketing.
• Analytics changes: Switching to new analytics tools that collect different data.
• Payment processing: Adding e-commerce or payment processing that collects financial data.
• User accounts: Adding login or registration that stores user data.

When you change how you use data

If you change how you use personal data, update your privacy policy and tell people before you make the change [1]Source 1 .

Examples

• Marketing changes: Starting to use email addresses for marketing when you previously did not.
• Sharing data: Starting to share data with third parties (analytics, payment processors, etc.).
• Data retention: Changing how long you keep data.
• International transfers: Starting to transfer data outside the UK/EU.

When you add new services or tools

If you add new services or tools that process personal data, update your privacy policy.

Examples

• New analytics: Adding Google Analytics, Facebook Pixel, or other tracking tools.
• Chat widgets: Adding live chat or chatbot tools.
• Social media: Adding social media feeds or sharing buttons.
• Email marketing: Adding email marketing tools (Mailchimp, ConvertKit, etc.).
• Booking systems: Adding booking or appointment systems.

When legal requirements change

If privacy laws change, you may need to update your privacy policy.

Examples

• GDPR updates: Changes to UK GDPR or EU GDPR requirements.
• New regulations: New privacy laws in your jurisdiction.
• Industry requirements: New requirements for your industry (healthcare, finance, etc.).

When your business changes

If your business structure or operations change, update your privacy policy.

Examples

• Business name: Changing your business name or legal entity.
• Contact details: Changing your address, email, or phone number.
• Business model: Changing how you operate (e.g., adding e-commerce, subscriptions).
• Merger or acquisition: If your business is acquired or merged.

Regular reviews

Even if nothing changes, review your privacy policy regularly.

• Annual review: Review at least once a year to ensure it is still accurate.
• After major changes: Review after any major site or business changes.
• When you update the site: Review when you add new features or pages.

How to update your privacy policy

1) Review what you actually do

• List all the personal data you collect.
• List how you use that data.
• List who you share data with.
• List how long you keep data.

2) Update the policy

• Update the policy to match what you actually do.
• Use clear, plain language.
• Include all required information (what you collect, why, how you use it, who you share it with, retention, rights).

3) Update the date

• Update the "last updated" date on the policy.
• Consider showing a version history if you make significant changes.

4) Notify users if needed

• For significant changes, consider notifying users (email, banner on site).
• For minor updates (contact details, typos), notification may not be needed.

What to include in updates

• What changed: Clear explanation of what changed and why.
• When it changed: Date of the update.
• Impact on users: How the changes affect users' data or rights.

Common mistakes

• Forgetting to update: Policy does not match what you actually do.
• Copy-pasting templates: Using generic templates without customising for your business.
• Not reviewing regularly: Policy becomes outdated over time.
• Not updating the date: Users cannot tell when the policy was last updated.

Summary

Update your privacy policy when: you start collecting new data, you change how you use data, you add new services or tools, legal requirements change, your business changes, or during regular reviews (at least annually).

When updating: review what you actually do, update the policy to match, update the date, and notify users if needed for significant changes.

For more on privacy policies, see privacy policies and GDPR compliance for small sites. If you need help updating your privacy policy, get in touch to discuss your needs.