Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- 1. Start With the Basics: Your Legal Pages
- 2. Walk Through the Website Like a Customer
- 3. Compare What Your Policies Say to What Really Happens
- 4. Make Sure People Know Who They Are Dealing With
- 5. Review Refunds, Returns and Consumer Rights
- 6. Read Your Privacy Notice Properly
- 7. Check How Marketing Consent Works
- 8. Do Not Forget Cookies and Tracking
- 9. Consider Whether You Need Disclaimers
- What to Fix First
- Bottom Line
Your website is a bit like your business’s digital home. It might look polished, welcoming and well looked-after on the surface, but that does not always mean everything behind the walls is in order. Sometimes the issues are obvious. More often, they are the small cracks you only notice once something starts leaking.
That is often how legal gaps show up online. They do not always appear as glaring mistakes or big red flags. Sometimes they sit quietly in the background - in an outdated policy, a contact form, a cookie banner, a checkout flow, or a piece of wording that no longer matches what your business actually does. A quick review will not replace tailored legal advice, but it can help you spot early warning signs and work out whether your website may need a closer legal check.
1. Start With the Basics: Your Legal Pages
The first place to start is with the legal pages themselves. For most business websites, these are the essential fixtures. If they are missing, outdated, or copied from a generic template, that is often the first sign there may be wider legal gaps across the site.
The key documents will usually include a Privacy Notice or Privacy Policy, Website Terms and Conditions, a Returns or Refunds Policy where relevant, a cookie notice or consent banner if your site uses cookies or similar technologies, and any disclaimers that suit your business model. “Privacy Notice” is the more precise UK term, even though many businesses still label the page “Privacy Policy.”
Each of these plays a different role. Your privacy wording should explain what personal data you collect and what happens to it. Your terms set the ground rules for using the site or buying from you. A returns policy helps explain your process clearly. Disclaimers can also help set expectations, especially if your site includes guidance, commentary, tools, or educational material.
2. Walk Through the Website Like a Customer
Next, move through your website as if you were seeing it for the first time.
Look at your contact forms, checkout pages, account sign-up flows, newsletter forms, and anywhere else a visitor is asked to take action or hand over information. Try to see the experience from the outside, rather than as the person who already knows how everything works.
As you go, ask yourself: what is the customer being asked to do here, and what are they being told in return? If someone is entering their name, email address, phone number, payment details, or any other personal data, is it clear what is being collected, why it is being collected, and how it will be used? UK data protection law expects privacy information to be concise, transparent and easy to understand.
A common gap here is collecting personal data without properly explaining what is happening behind the scenes. Another is using a form for one purpose, such as an enquiry or a download, but then using the information more broadly than the person would reasonably expect.
3. Compare What Your Policies Say to What Really Happens
This is where many legal gaps like to hide.
It is not enough to have the right documents sitting in your website footer. Those documents also need to match what your website and business actually do in practice. If your policies say one thing but your operations say another, that mismatch can create risk.
For example, does your Privacy Notice mention the tools and platforms you actually use? Does your cookie banner reflect the cookies and trackers running on the site? Do your returns terms match what customers see at checkout? Do your Website Terms still reflect the service you offer today, rather than the version of the business you ran six months ago?
This kind of mismatch is one of the most common weak spots on a website. The issue is often not that there is no legal wording at all, but that the wording no longer matches reality. If you do spot that kind of disconnect, that is often the point where it is worth getting legal input.
4. Make Sure People Know Who They Are Dealing With
A credible business website should make it easy for visitors to identify the business behind it and know how to get in touch.
Depending on your structure, that may include your legal or trading name, contact details, and for companies, your registered name, company number, place of registration, and registered office address. UK company disclosure rules apply to certain business documents and websites, so this is more than just a branding point.
If a website feels vague, anonymous, or hard to contact, that can affect trust very quickly. It can also create avoidable legal and operational issues, especially if customers are trying to work out who they are dealing with or where to direct a problem. Visitors should not have to dig through your site to figure that out.
5. Review Refunds, Returns and Consumer Rights
Refund wording is one of the most common places where legal issues show up on small business websites.
Many businesses want to be clear and firm about refunds, which makes sense. But there is a difference between having a clear policy and using wording that goes too far. In the UK, website refund and returns wording needs to line up with both the Consumer Rights Act 2015 and, for many online sales, the Consumer Contracts Regulations, which can give consumers cancellation rights for distance purchases.
That means broad statements like “no refunds under any circumstances” can be risky if they suggest customers have fewer rights than they may actually have under the law. The same goes for terms that are unclear, one-sided, or inconsistent with what was promised during the buying journey.
This is a good area to review carefully, because refund wording often sounds harmless until it is tested in a real complaint or dispute. If your policy is especially strict, or your website sells goods, services and digital products in different ways, it may be worth asking a legal expert to review the wording.
6. Read Your Privacy Notice Properly
It is one thing to have a Privacy Notice. It is another for it to say something useful.
A strong Privacy Notice should explain what personal data you collect, why you collect it, who you share it with, and what rights people have. In many cases it should also cover your lawful basis for processing, retention periods, international transfers where relevant, and how people can contact you about their data. That is much closer to what the ICO expects to see in practice.
This is an area where generic wording often causes problems. A business may technically have a Privacy Notice in place, but if it is vague, overly broad, or clearly lifted from a template, it may not give users much real clarity at all.
A useful test is this: does your privacy wording sound like it belongs to your business specifically, or could it just as easily sit on the website of a completely different company?
If your business collects a lot of personal data, uses several software tools, or transfers data outside the UK, this is one area where tailored legal advice can be especially helpful.
7. Check How Marketing Consent Works
If someone enters their details on your website, what exactly are they agreeing to?
This is worth checking closely across newsletter sign-ups, downloadable resources, enquiry forms, free offers, and lead magnets. Sometimes the wording is clear. Sometimes it is not.
Are users actively opting in to marketing, or are you assuming consent? Are any boxes pre-ticked? Is it obvious how someone can unsubscribe later? Would a reasonable person understand that by filling in a form, they may also be joining a mailing list?
In the UK, electronic marketing rules sit under PECR alongside data protection law. Marketing emails and texts often require consent, although the exact rules can vary depending on the channel, the recipient, and whether a limited exception such as the soft opt-in applies. That is one reason this section is worth checking carefully rather than treating it as a box-ticking exercise.
One of the most common gaps here is bundled consent. Someone thinks they are simply making an enquiry or downloading a free guide, but they are also being signed up for ongoing marketing without that being properly made clear.
8. Do Not Forget Cookies and Tracking
For a UK audience, this deserves its own mention.
If your website uses analytics cookies, advertising cookies, pixels, session replay tools, or similar tracking technologies, your cookie banner and cookie information should reflect what is actually happening. Under PECR, non-essential cookies generally need consent before they are set, and users need clear information about what those tools do.
A common gap is a banner that says “by continuing to browse, you agree to cookies” while non-essential cookies are already firing before the user has made a real choice. Another is a banner that lets people accept cookies in one click, but makes rejecting them harder. In the UK, the compliance direction has been toward giving users a genuine choice rather than nudging them toward acceptance.
9. Consider Whether You Need Disclaimers
Depending on your business, disclaimers may also play an important role.
If your website includes advice, educational content, commentary, tools, calculators, or industry-specific information, a disclaimer can help set expectations and reduce confusion. It can clarify what your content is intended to do, what it is not intended to do, and where the limits of your responsibility sit.
The key is making sure the disclaimer actually suits the business. A gap here might be having no disclaimer where one would clearly help, or using wording that is so broad, aggressive, or generic that it does not feel connected to the real service you provide. If your website deals with regulated content, professional services, or anything that could be mistaken for tailored advice, it may be worth checking that your disclaimer is doing the right job.
What to Fix First
If you spot more than one issue, it helps to prioritise them rather than trying to fix everything at once.
A sensible place to start is with privacy, cookies and data-handling issues, then move to terms, returns and consumer-rights risks. After that, look at business identity and contact details, then marketing consent issues, and finally any secondary items like disclaimers.
That order helps you focus first on the areas most likely to affect compliance, customer trust and day-to-day business risk. It also reflects the fact that website issues are not just drafting issues - depending on the facts, they can overlap with misleading practices and consumer-protection rules.
Bottom Line
A legal gap on a website is not always a missing document. More often, it is a mismatch between what your website says, what your business does, and what the law expects.
Think of it as routine maintenance for your digital home. A quick review can help you spot the weak points early, clean up obvious risks, and stop small issues from quietly turning into bigger ones.
And if you notice anything that feels unclear, outdated, or out of step with how your business actually operates, it may be worth getting a legal expert to take a closer look. Sometimes the issue is only cosmetic. Sometimes it points to something that needs a more careful repair.
If you would like a consultation on legal gaps on your business website, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
Alex SoloCo-Founder
