GDPR privacy notices: what they must contain and how to write one

A practical guide to privacy notices under UK GDPR — what Articles 13 and 14 require, the difference between Article 13 and Article 14 information, layered notices, and a template structure UK organisations can adapt.

A privacy notice is how an organisation tells people what it does with their personal data. It is the mechanism that delivers the first of the eight individual rights — the right to be informed — and it is the document the ICO will ask to see first when investigating a complaint or running an audit.

Getting it wrong is one of the most visible compliance failures. A privacy notice that is hard to find, written in dense legalese, or missing the items Articles 13 and 14 require is a breach by itself, and a sign that the underlying processing has not been thought through.

This guide covers what the privacy notice must contain, the difference between data collected directly and data obtained elsewhere, the layered approach the ICO expects on modern websites, and a template structure you can adapt.

Privacy notice vs privacy policy

The two terms are used interchangeably in UK practice, and there is no legal distinction. UK GDPR uses neither phrase — it talks about "information to be provided" under Articles 13 and 14. The ICO's preferred term is "privacy information" or "privacy notice".

"Privacy policy" is the more common label on UK websites, partly because it is the term most often used by US-developed website templates. Either label is fine. What matters is that the document covers the required content and is genuinely accessible to the people whose data is being processed.

Where a difference is drawn at all, "privacy policy" sometimes refers to an internal document — the organisation's own policy on how it handles personal data — while "privacy notice" refers to the outward-facing notice given to individuals. Most organisations have only the outward-facing document, often labelled "privacy policy".

What Article 13 requires

Article 13 applies when personal data is collected directly from the individual. The notice must be provided at the point of collection — in the form, on the page, during the call. Article 13(1) and 13(2) together list the required content:

• The identity and contact details of the controller — and, where applicable, of the controller's representative and any Data Protection Officer.
• The purposes of the processing and the lawful basis for each purpose. Where legitimate interests is the basis, the specific legitimate interests pursued.
• The recipients or categories of recipients of the personal data, including any processors.
• Any international transfers of the personal data, the destination, and the safeguards relied on (adequacy decision, Standard Contractual Clauses, UK International Data Transfer Agreement, and so on).
• How long the personal data will be stored, or the criteria used to determine that period.
• The individual's rights — access, rectification, erasure, restriction, portability, objection, and the rights related to automated decision-making.
• The right to withdraw consent at any time, where consent is the basis for processing.
• The right to complain to the ICO.
• Whether providing the personal data is a statutory or contractual requirement, and what happens if the individual does not provide it.
• The existence of automated decision-making, including profiling, where it produces legal or similarly significant effects — and meaningful information about the logic involved.

The notice has to be in clear and plain language. The ICO has been explicit that dense legalese, jargon, and burying important terms in long paragraphs do not satisfy the transparency principle, even where the content technically appears.

Article 12(7) also allows for the use of standardised icons alongside the privacy notice to give an at-a-glance overview. These are optional in UK practice and rarely used in any rigorous way.

What Article 14 requires

Article 14 applies when personal data is obtained from somewhere other than the individual — bought from a list provider, scraped from a public source, received from a partner organisation, generated by another controller and shared.

The content is broadly the same as Article 13, with three additions:

• The categories of personal data involved (because the individual cannot see what was collected).
• The source of the personal data, including whether the source was publicly accessible.
• The fact that the data was not obtained directly from the individual.

Timing is also different. The information must be provided within a reasonable period after obtaining the data — and in any event within one month. If the data will be used to communicate with the individual, the notice must be provided at the latest at the time of the first communication. If the data will be disclosed to another recipient, the notice must be provided at the latest when the disclosure occurs.

Article 14(5) sets out exemptions. Notice does not need to be provided where:

• The individual already has the information.
• Providing the notice would be impossible or involve a disproportionate effort — in particular for archiving, research, or statistical purposes under Article 89.
• Obtaining or disclosing the data is required by UK law that provides appropriate safeguards.
• The data is subject to a duty of professional secrecy.

The Data (Use and Access) Act 2025 clarified the "disproportionate effort" exemption in research contexts, making it easier to rely on for genuine scientific research where contacting every individual would be impractical. The exemption is still narrow outside that specific context.

Layered notices and just-in-time notices

A common practical problem: Articles 13 and 14 together require a lot of information, and presenting all of it at the point of collection — on a form, at a checkout, in a sign-up flow — overwhelms the user and damages the experience. The ICO's accepted answer is the layered notice.

A layered notice presents privacy information in tiers:

• Layer 1 — a short, plain-language summary at the point of collection. Typically a sentence or two: "We will use your email to confirm your order. Read our privacy notice for the full picture." A link takes the user to the next layer.
• Layer 2 — a mid-length notice that covers the main points: purposes, lawful basis, recipients, retention, rights, and the link to the full notice.
• Layer 3 — the full privacy notice with all Article 13/14 content, structured for navigation rather than narrative.

Each layer must be honest. A misleading Layer 1 doesn't become acceptable just because the full picture sits at Layer 3.

A related pattern is the just-in-time notice: a short prompt that appears at the moment a specific piece of information is collected, explaining only what's relevant to that field. A "why we ask for your phone number" tooltip next to the phone field is a just-in-time notice. They work well alongside a layered approach.

When to provide privacy information

For Article 13 data, the notice must be available before personal data is collected. In practical terms, that means a link to the privacy notice should sit alongside the form, the sign-up flow, or the page where data is collected — visible and reachable, not buried in a footer or hidden behind a navigation menu.

For Article 14 data, the notice must be provided within a reasonable period and at most one month after the data is obtained — or at the first communication with the individual, if earlier. Where the data is shared with a third party as part of the original processing, the notice should be provided no later than the first disclosure.

Refreshing the notice matters too. A privacy notice should be reviewed periodically and updated whenever processing changes — new purposes, new recipients, longer retention, new categories of data. Material changes require active notification of existing users, not just an updated version on the website.

Common privacy notice mistakes

A few patterns the ICO routinely picks up:

• Burying the lawful basis. The notice must state the basis for each purpose. Vague language like "we may rely on legitimate interests" without naming the specific interest does not meet the standard.
• Using "we may" throughout. "We may share your data with..." reads as defensive drafting. It also tells the individual nothing useful. If you share data, say so plainly. If you don't, don't list the possibility.
• Missing retention periods. Article 13(2)(a) requires the retention period or the criteria used to determine it. "We will keep your data for as long as necessary" is not enough. "We keep customer order records for six years to meet HMRC retention requirements" is.
• No mention of international transfers. If you use a US-hosted cloud service, you are transferring data internationally. The notice has to disclose that and identify the safeguards.
• Listing "rights" with no information about how to exercise them. The right to complain to the ICO needs a route — usually a link or an email address.
• Cookie-only "privacy policies". A cookie banner is not a privacy notice. The two documents overlap but cover different things. See our cookie consent guide.
• Not updating after the DUAA. Notices drafted before 2025 may reference six lawful bases, the old Article 22, and outdated ICO terminology. A current notice should reflect the post-DUAA position.

A template structure you can adapt

A workable structure for an Article 13 notice on a UK business website:

1. Who we are. Legal name, trading name, registered address, ICO registration reference, DPO contact (if appointed).
2. The personal data we collect. Categories — contact details, transaction information, technical information, etc. — with a brief description of each.
3. How we use your personal data and our lawful basis. A table or list with one row per purpose, the lawful basis for that purpose, and (where relevant) the specific legitimate interest.
4. Who we share your personal data with. Named processors or categories of recipients — payment provider, courier, hosting provider, accountant, professional advisers.
5. International transfers. Destinations and safeguards.
6. How long we keep your personal data. Retention period or criteria for each category, with a link to a fuller retention schedule if helpful. See our data retention guide for the principles.
7. Your rights. A short summary of the eight rights under UK GDPR, with how to exercise each and the right to complain to the ICO. See our individual rights guide.
8. Cookies and tracking. Brief reference and link to the dedicated cookie notice and preferences.
9. Changes to this notice. A statement about how updates are made and when the notice was last reviewed.
10. Contact details. A specific email or form for privacy queries.

The structure is consistent with what most ICO templates expect to see. The work of writing a good notice is in the specifics — naming the actual purposes, the actual recipients, the actual retention periods — not in the section headings.

For more on where privacy notices fit alongside the wider regulation, see our hub guide to UK GDPR, our lawful basis guide, and our personal data guide.

Frequently asked questions

Is a privacy notice the same as a privacy policy?

For practical purposes, yes. UK GDPR uses neither term — it requires "information to be provided" under Articles 13 and 14. "Privacy notice" is the ICO's preferred label; "privacy policy" is the more common one on UK websites. They typically describe the same document.

Who must have a privacy notice?

Every UK organisation that processes personal data. There is no exemption for size — a sole trader holding customer contact details needs one, just as a large company does. The level of detail scales with the complexity of the processing, not the size of the controller.

Can I link to my privacy notice?

Yes, and you usually should. The ICO accepts a linked notice provided the link is visible and reachable at the point of collection. Hidden footer links and pop-ups that appear only after data has been collected do not meet the standard.

How often should I update my privacy notice?

Review at least annually, and any time processing changes — new purposes, new recipients, new data categories, longer retention. Material changes also require notifying existing users, not just publishing an updated version.

What's a 'just-in-time' notice?

A short prompt that appears at the moment a specific piece of information is being collected, explaining what's relevant to that field. They work well alongside layered notices, particularly for fields where the user might reasonably ask "why do you need this?"