Back to articles

Emeric MathisInvalid Date10 min read

slugFr: "" slugEn: "gdpr-legal-notices-website" title: "GDPR and Legal Notices: What Your Website Legally Needs to Display" description: "A plain-English guide to legal notices, GDPR, and cookie rules for small business websites in France — what you need, what you risk, and a practical checklist." publishedAt: "2025-04-22" updatedAt: "2025-04-22" author: "Emeric Mathis" category: "Legal"

If you have a website for your business, you have legal obligations — even if you are a sole trader, even if your site is simple, and even if you have never thought about this before. The good news is that for most small business sites, compliance is not complicated. It mainly requires understanding what is required and then doing it.

This article explains the key legal obligations in plain language: legal notices, GDPR, cookies, and contact forms. It is not legal advice — for specific legal questions about your situation, consult a lawyer or the CNIL (France's data protection authority). But it is a practical starting point that will help most small business owners understand what they need and get it done.

What are legal notices and why are they required?

In France, any website published in a professional capacity — including a baker's website, a plumber's site, or an independent consultant's portfolio — must display legal notices (mentions légales). This comes from the law on the digital economy (Loi pour la confiance dans l'économie numérique, or LCEN), which has been in force since 2004.

Legal notices are a dedicated page (usually linked in the footer) that identifies who is behind the website. The required information depends on whether you are an individual or a company.

For an individual professional or sole trader, legal notices must include:

  • Your full name (or the name you trade under)
  • Your address (your business or personal address — this is required by law)
  • Your phone number or email address
  • The name and contact details of your web host (hosting provider)
  • Your SIRET number or SIREN if you have one (required if you carry out a regulated activity or are registered)
  • Your VAT number if applicable
  • The name of the editor responsible for content (usually you)

For a company (SARL, SAS, etc.), you also need:

  • The company's registered name and legal form
  • Registered capital
  • RCS number and place of registration
  • VAT number

These details must be easily accessible — not buried, not requiring login, not hidden in a 14-page document. A simple page linked from the footer labelled "Legal notices" is the standard approach.

What happens if you do not have legal notices?

Failure to publish the required legal notices is an offence under French law, potentially subject to a fine of up to €75,000 for an individual and €375,000 for a company. In practice, enforcement is not aggressive against small business sites — but the legal exposure is real, and the compliance effort is minimal. There is no good reason not to do it.

More practically, missing legal notices can undermine trust: a customer or partner who looks for them and cannot find them may wonder if your business is legitimate.

What is GDPR and does it apply to your small business site?

GDPR (General Data Protection Regulation) is the EU regulation that governs how personal data is collected, stored, and used. It applies to any organisation — including sole traders and micro-businesses — that collects personal data from people in the EU.

For a typical small business website, this means: if you have a contact form, a newsletter signup, a booking system, analytics tracking, or cookies that identify individual visitors, GDPR applies to you.

The core principle of GDPR is simple: people have the right to know what data you collect about them, why you collect it, how long you keep it, and who you share it with. They also have the right to ask you to delete their data.

What you need to do

Have a privacy policy. This is a page (separate from your legal notices, though sometimes combined for small sites) that explains:

  • What personal data you collect (names, email addresses, phone numbers, IP addresses via analytics)
  • Why you collect it (to respond to enquiries, to send a newsletter, to analyse site traffic)
  • How long you keep it (for example, contact form submissions kept for 3 years)
  • Who you share it with (your email provider, your analytics service, your web host)
  • The legal basis for processing (usually "legitimate interest" for responding to an enquiry, or "consent" for marketing)
  • How someone can request access to or deletion of their data (typically by emailing you)

You do not need to write this in legal jargon. Plain, clear language is actually better — it is more likely to be read and understood.

Be honest about what you collect. If you use Google Analytics, say so. If contact form submissions are stored in a database, say so. If you send a monthly newsletter via Mailchimp, say so.

Do not collect more data than you need. A contact form that asks for name, email, and a message is fine. One that asks for date of birth, profession, and income is not proportionate for most small business sites.

The cookie rules — what you actually need to do

Cookies are small files stored in a visitor's browser that track behaviour, remember preferences, or identify users. GDPR and the French CNIL's guidelines (which implement the ePrivacy Directive) require that visitors give informed consent before non-essential cookies are stored on their device.

What counts as a non-essential cookie?

  • Analytics cookies (Google Analytics, Matomo, etc.) — these track page views, time on site, traffic sources
  • Advertising cookies — used for retargeting and ad tracking
  • Social media tracking pixels (Facebook Pixel, LinkedIn Insight Tag, etc.)
  • Third-party embedded content that sets cookies (YouTube videos, Google Maps if it uses cookies)

What does not require consent?

  • Cookies that are strictly necessary for the site to function: session cookies, shopping cart cookies, login cookies
  • Some analytics setups using "exempt" configurations (Matomo with specific settings, Google Analytics in cookieless mode) — but this requires careful technical setup

What you need to do in practice

If your site uses Google Analytics or any similar tool, you need a cookie banner that:

  • Appears on the first visit, before non-essential cookies are set
  • Clearly explains that cookies are used and for what purpose
  • Offers a genuine way to refuse (not just accept) — a button that says "Accept" and a small "X" to close does not count as informed consent
  • Remembers the visitor's choice so the banner does not reappear on every page

The CNIL has been actively enforcing cookie consent rules. Large companies have received significant fines, and the guidance is clear that small business sites are not exempt.

A good cookie banner does not have to be annoying. A clear, simple prompt with honest language and genuine choices — "Accept analytics cookies" / "Decline" — satisfies the requirement without being intrusive.

Contact forms and GDPR

If you have a contact form on your site, you are collecting personal data (at minimum a name and email address). Under GDPR, you need to:

  1. Tell visitors what their data will be used for, ideally with a brief note next to the form: "Your details will only be used to respond to your enquiry and will not be shared with third parties."

  2. Add a checkbox (unchecked by default) if you want to add them to a newsletter or marketing list. You cannot pre-tick this.

  3. Have a privacy policy linked near the form.

  4. Secure the form data: use HTTPS on your site (the padlock in the browser bar), make sure form submissions are not stored insecurely, and ensure any email provider you use has adequate security. This connects directly to the importance of securing your website.

  5. Be ready to respond if someone asks what data you hold about them or requests deletion. For most small business sites with simple contact forms, this means being able to search your email inbox and delete relevant messages.

The practical checklist for a small business website

Here is what most small business owners need to put in place:

  • Legal notices page with your name, address, phone or email, host details, and registration numbers
  • Privacy policy explaining what data you collect, why, how long you keep it, and how to request deletion
  • Cookie banner that appears before non-essential cookies are set, with a real "decline" option
  • Contact form note explaining what the data will be used for
  • Opt-in checkbox (unchecked) for any newsletter or marketing emails
  • HTTPS enabled on your entire site (most modern hosts provide this free via Let's Encrypt)
  • Link to legal notices and privacy policy in your footer, visible on every page

If you are using a website builder like Wix or Squarespace, some of these tools have built-in privacy and cookie features. Check that they are actually configured correctly — the default settings often do not meet GDPR requirements.

A word on "GDPR generators"

There are many free tools online that generate privacy policies and legal notices automatically. These can be a useful starting point, but read through the output carefully. Generic templates may include clauses that do not apply to your situation, or miss specifics that do. A policy that says you share data with "advertising partners" when you actually do not is misleading. Customise whatever you generate to reflect your actual situation.

What about accessibility and legal compliance together?

Legal compliance and good web practice often overlap. A well-structured website with clear navigation, accessible forms, and honest cookie information is better for users and better for the law. A site that hides its legal notices or makes the cookie decline button invisible is both non-compliant and unfriendly. Investing in a professionally built site tends to address these things properly from the start.

Getting your site legally compliant

If you are not sure whether your current website meets these requirements, a quick audit is a good starting point. If you are building a new site, build these requirements in from the beginning — it is far easier than retrofitting them later.

I handle legal compliance as part of every website I build: proper legal notices, a privacy policy tailored to your actual data practices, a compliant cookie banner, and secure contact forms. If you want to check or update your existing site, or build a new one that is compliant from day one, visit my services page and get in touch.

Contact

Freelance web developer specializing in website creation, RGAA accessibility, SEO and performance.

I work fully remotely with clients everywhere in the world.

Contact me by email at emericmathis@gmail.com

Contact form

Accepted formats: PDF, JPG, PNG, DOCX. Max total size: 25 MB.