TL;DR: Even if your website collects no personal information (PII), doesn't require login, and only uses anonymous feedback forms or essential anti-spam cookies, you still need a privacy policy in 2026. Here's exactly what's required and what you can skip.
Do You Need a Privacy Policy If You Don't Collect PII?
Yes. If your website is accessible to users in the EU, California, Brazil, Canada, or most other jurisdictions with privacy laws, you need a privacy policy — even if you think you collect nothing.
Here's why: your web server automatically logs IP addresses. Your hosting provider processes data on your behalf. If you use any cookies — even essential ones for anti-spam protection — you're processing data. Under GDPR, an IP address is personal data (Court of Justice ruling C-582/14, Breyer v Germany).
The Minimum Privacy Policy for a Simple Website
If your website has no login, no analytics, no tracking, and only uses essential cookies (like anti-spam or session cookies), here's the minimum your privacy policy must cover:
1. Who You Are
State your identity as the data controller: company name (or your name if personal), address, and a contact email. This is required by GDPR Article 13(1)(a).
2. What Data Is Collected Automatically
Even "simple" websites collect data through:
- Server logs: IP address, browser type, operating system, referrer URL, timestamp
- Essential cookies: session ID, CSRF tokens, anti-spam cookies
- Hosting provider: your hosting company processes this data on your behalf
List these even if you never look at the logs. Your hosting provider (Vercel, Netlify, Cloudflare, AWS, etc.) stores them.
3. Why You Collect It (Legal Basis)
| Data | Purpose | Legal Basis |
|---|---|---|
| IP address (server logs) | Website functionality & security | Legitimate interest |
| Anti-spam cookies | Preventing bot abuse | Legitimate interest |
| Session cookies | Website functionality | Strictly necessary (no consent needed) |
| Anonymous feedback form | Improving the website | Legitimate interest |
Key point: Essential anti-spam cookies and session cookies do not require consent under the ePrivacy Directive — they are "strictly necessary" for the service. You do not need a cookie consent banner for these alone.
4. Who Has Access to the Data
List your data processors, even for a minimal site:
- Hosting provider (e.g., Vercel, Netlify, Cloudflare, Hetzner)
- CDN provider (if separate from hosting)
- Email provider (if using a contact form that sends email)
- Anti-spam service (e.g., reCAPTCHA, hCaptcha, Cloudflare Turnstile)
Warning about reCAPTCHA: Google reCAPTCHA sets tracking cookies and sends data to Google servers. If you use it, it's no longer "essential only" — you may need a cookie consent banner. Consider privacy-friendly alternatives like hCaptcha or Cloudflare Turnstile.
5. Where Data Is Stored
Disclose the country where data is processed. If your hosting is in the US (Vercel, AWS, Netlify), mention the transfer mechanism:
- EU-US Data Privacy Framework (DPF) — if your provider is DPF-certified
- Standard Contractual Clauses (SCCs) — check your provider's DPA
If possible, use EU-based hosting to avoid the cross-border complexity entirely.
6. How Long Data Is Kept
| Data Type | Recommended Retention |
|---|---|
| Server logs | 30–90 days |
| Anti-spam cookies | Session or up to 24 hours |
| Anonymous feedback | As long as useful, no PII involved |
| Contact form submissions | Until inquiry resolved + 30 days |
7. User Rights
Even for minimal data collection, you must list GDPR rights: access, rectification, erasure, restriction, portability, objection, and the right to complain to a supervisory authority. Provide an email address for exercising these rights.
Do You Need a Cookie Consent Banner?
Not always. If your website ONLY uses strictly necessary cookies (session, CSRF, anti-spam), you do NOT need a cookie consent banner. The ePrivacy Directive exempts cookies that are "strictly necessary for the provision of an information society service explicitly requested by the subscriber or user."
However, you DO need a banner if you use any of these:
- Google Analytics (even GA4 with anonymized IP)
- Google Fonts loaded from Google servers
- Facebook Pixel or any ad tracker
- YouTube embeds (sets cookies)
- Google reCAPTCHA (sets tracking cookies)
- Hotjar, Clarity, or any session recording tool
- Social media sharing buttons that load external scripts
Not sure what cookies your site sets? Use PrivacyChecker to scan your website and see every cookie, tracker, and third-party script loading on your pages.
Anonymous Feedback Forms — What Counts as "Anonymous"?
If your feedback form truly collects no PII — no name, no email, no account ID — the responses themselves may not be personal data. But be careful:
- Your server still logs the IP address of the person submitting feedback
- If combined with other data (timestamp + IP), it could become identifiable
- Free-text fields may contain personal data voluntarily entered by users
Best practice: Mention in your privacy policy that anonymous feedback is collected, that you don't intentionally link it to individuals, and specify how long you retain it.
Essential Anti-Spam Cookies — What's Allowed Without Consent?
Anti-spam cookies fall under the "strictly necessary" exemption if they:
- Protect forms from bot submissions
- Are required for the website to function as intended
- Don't track users across sites or sessions
- Don't share data with third-party advertising networks
Examples of compliant anti-spam cookies: Cloudflare Turnstile tokens, custom CSRF tokens, honeypot field identifiers. Examples that are NOT exempt: Google reCAPTCHA (sends data to Google), any cookie that persists beyond the session for tracking purposes.
Privacy Policy Requirements by Region
| Region | Law | Privacy Policy Required? | Cookie Banner Required? |
|---|---|---|---|
| EU / EEA | GDPR + ePrivacy | Yes, always | Only for non-essential cookies |
| UK | UK GDPR + PECR | Yes, always | Only for non-essential cookies |
| California | CCPA / CPRA | Yes, if collecting data from CA residents | Not required, but "Do Not Sell" link is |
| Brazil | LGPD | Yes | Recommended |
| Canada | PIPEDA | Yes | Implied consent for essential cookies |
| Global (no local law) | Best practice | Strongly recommended | Not legally required |
Minimum Privacy Policy Template for No-PII Websites
Here's a stripped-down structure for a website that collects no personal information beyond server logs and essential cookies:
- Who we are: Company name, address, contact email
- What we collect: Server logs (IP, browser, timestamp), essential cookies (session, anti-spam)
- Why: Website functionality and security (legitimate interest)
- Third parties: Hosting provider name and location
- Retention: Server logs deleted after 30-90 days
- Your rights: Access, erasure, objection — contact [email]
- Complaints: Right to complain to your local Data Protection Authority
- Cookie details: List of essential cookies with name, purpose, and expiration
This covers the minimum legal requirements. For a more comprehensive policy, see our GDPR privacy policy template guide.
Common Mistakes on "Simple" Websites
- Using Google Fonts from Google CDN: Sends visitor IPs to Google — use self-hosted fonts instead
- Embedding YouTube videos: Sets tracking cookies without consent
- Using Google reCAPTCHA: Not "essential only" — sends data to Google for risk analysis
- No privacy policy at all: Even a one-page site needs one if accessible in the EU
- Assuming "anonymous" means no obligations: Server logs with IP addresses are personal data
Scan your website with PrivacyChecker to catch these issues before a regulator does. Our scanner checks for all common privacy violations in under 60 seconds.
Frequently Asked Questions
Do I need a privacy policy if my website has no login and no forms?
Yes. Your web server collects IP addresses automatically, and your hosting provider processes that data. Under GDPR, IP addresses are personal data. You need a privacy policy disclosing this, even if your site is purely informational with zero user interaction.
Are anti-spam cookies exempt from consent requirements?
Yes, if they are strictly necessary. Cookies used solely to prevent bot abuse on forms (CSRF tokens, honeypot cookies, Cloudflare Turnstile tokens) are exempt under the ePrivacy Directive. However, Google reCAPTCHA is NOT exempt because it sends data to Google for risk analysis beyond your website.
What is the minimum privacy policy for a global website in 2026?
At minimum: identify yourself, list what data is collected (including server logs), state the legal basis, name your hosting provider, specify retention periods, and list user rights. If your website is accessible in the EU, follow GDPR requirements. If accessible in California, add CCPA disclosures. Use PrivacyChecker to find all data collection happening on your site.
Can I collect anonymous feedback without GDPR obligations?
If feedback is truly anonymous (no name, no email, no account link), the feedback content itself may not be personal data. But your server still logs the submitter's IP address, which IS personal data. You still need a privacy policy covering the server log collection.