If you’ve ever installed a Meta Pixel, embedded a video or social post or tracked visitor behaviour on your site, congratulations, you're now responsible for personal data. And if you don’t handle that data properly, you could land yourself (or your client) in hot water.

This isn’t about scaremongering or turning you into a GDPR expert, but if you’re working with client accounts or building your own audience, you do need to understand the basics.

We’re here to give you the info you actually need to stay on the right side of the law.

TLDR:

If you're collecting any info about people, you’re handling personal data. And even as a freelancer, you're legally responsible for keeping that data safe, secure, and used properly.

Here’s what you need to do:

• Add a privacy policy to your website or landing pages
• Use a cookie banner
• Keep it secure
• Never reuse or share data between clients
• Know the rules (UK GDPR, EU GDPR, US state laws like CCPA)

The boring legal stuff

Here’s a quick overview of what laws relate to you depending on where you (or your clients/audience) are based:

🇬🇧 UK GDPR + Data Protection Act 2018

This is the UK's version of GDPR (which it adopted from the EU pre-Brexit), and it applies to any personal data you collect, store, or use.

🇪🇺 EU GDPR (General Data Protection Regulation)

The original GDPR, and still the gold standard for data privacy, applies to any business in the EU or marketing to EU citizens

🇺🇸 USA: No federal law (but important state laws)

The US doesn’t have one single data law, it’s a patchwork of state-level laws
CCPA (California) and CPRA are the big ones, giving California residents rights over how their data is used. Other states (like Colorado, Virginia, and Connecticut) are catching.

You’re expected to follow these if you collect data from people in those states, especially if you run ads, track behaviour, or collect email addresses.

No matter where you are based, play it safe by following the strictest standards (likely to be GDPR).

Do you need to register with the ICO?

If you're in the UK and handling personal data in any way (yes, even replying to DMs on a client’s account), you’ll likely need to register with the ICO (the Information Commissioner’s Office.)

They’ve got a quick self-assessment tool to check if registration applies to you (spoiler: it probably does). It takes five minutes and keeps you covered. The annual payment is typically around £50, you can check your status and pay that here.

What counts as personal data?

Basically, anything that can identify someone:

• Names, emails, phone numbers
• Social handles, IP addresses
• DMs, form entries, ad audiences
• Pixel data, website visits, even survey responses

If you can link it to a real person, it's protected under GDPR/UK GDPR.

What you can and can’t do with personal data

✅ You can…

• Use it for the purpose the person expected (e.g. sending a freebie if they opted in for it, or marketing emails if they’ve consented)
• Store it securely using GDPR-compliant tools
• Give people the option to unsubscribe or request their data be deleted

❌ You can’t…

• Add someone to your email list without consent
• Use data for a different purpose than it was collected for 
• Share it with another client or business (including uploading to AI tools)

NB: You can only collect personal data if you have a privacy policy.

You need a privacy policy

If you're collecting any personal data (even just email addresses), your website or landing page must have a privacy policy. It’s simply a document that covers:

• What data you collect and why.
• How it is stored.
• What tools you use (e.g. ActiveCampaign, Airtable)
• How people can opt out or request deletion

Get a privacy policy via our legal shop

Cookie banners + policies

🍪 WTF are cookies?

Cookies are tiny bits of code that get stored on someone’s device when they visit a website.

They’re used to remember user preferences (like logins or language settings), track behaviour (like which pages they view or how long they stay) and build audiences for things like ads.

Some cookies are harmless and essential for a website to work. Others track people’s behaviour for analytics or marketing; those are the ones you need consent for.

If your site uses any tracking such as the Meta Pixel, Google Analytics or Google Tags, YouTube embeds, etc. You’re using cookies and MUST have a cookie banner and policy. 

Your website must have a Cookie banner.

​​You also must have a cookie banner that asks website visitors for consent before loading any cookies. Not having one of these means your website is not compliant and you could face big fines.

We use a tool called Cookieyes on our website, which is super easy to use and very reasonably priced.

You also have to have a Cookie policy 

This can be included in your privacy policy, and it needs to include:

1. A clear definition of what cookies are eg, Cookies are small text files placed on your device when you visit a website. They help the site work properly, track usage, and remember preferences.
2. The types of cookies you use. E.g.. Essential cookies (needed for the site to work — no consent needed), Analytics cookies (e.g. Google Analytics), Marketing/advertising cookies (e.g. Meta Pixel, email retargeting)
3. A list of the third-party tools using cookies on your website.
4. What each cookie does + how long it lasts
5. How users can manage cookies, eg, you can manage or disable cookies in your browser settings or by adjusting your preferences using our cookie banner.

🔗Visit our legal shop for privacy policy templates