January 28th is Data Privacy Day!
I know, right? How exciting! Well, try to contain your excitement and enthusiasm and take a deep breath...
It's time to consider one of the most exciting acronyms of all... GDPR!
Does UK GDPR Apply to Church Websites?
Yep.
Big or small, your church website needs to be GDPR compliant.This article will cover what we think are the five key areas of consideration to keep your website compliant.
1. Website Forms
Our top tips for forms are:
- Only ask for the information you actually need.
- Explain what will happen to the data once it’s submitted.
- Avoid collecting sensitive details unless it’s genuinely necessary.
It's worth noting that articles such as this one seem to indicate that people can distrust forms. So you may be better off removing a contact form and just showing a phone number and email address.
2. Privacy Policy
Every church website should have a privacy policy that is easy to find (usually linked in the footer). It should clearly explain:
- What information the site collects
- Why is it collected (for example, replying to enquiries or sending updates)
- How the data is stored and who can access it
- Whether third-party services are involved (such as email platforms or giving providers)
- How can people ask to see or delete their data
It needs to be simple, readable and understandable. It should sound less like a legal document and be a clear description of what people can expect from interacting with your site.
3. Cookies, the annoying kind rather than the tasty kind...
Many church websites use tools like Google Analytics, YouTube, or social media embeds. These often set cookies.
If your site uses cookies, you should:
- Let visitors know that cookies are being used.
- Ask for consent before setting them.
- Give people a way to change or withdraw consent.
But let's face it... Cookie notifications are ugly and annoying! People are unlikely to read them fully, or they simply won't understand what is being stored or why. However...
It is fully possible to get analytics, embedded YouTube videos and social media links on your site without giving your browser an unhealthy sugar high!
Which is why the websites we create don't have cookie notifications.
4. Online Giving and External Services
Most churches rely on trusted third-party services for things like:
- Online donations
- Email newsletters
- Event bookings
From a website perspective, the key points are:
- Use reputable, GDPR-compliant providers
- NEVER store payment details on your own website
- Mention these services in your privacy policy
Even though another company processes the data, your church is still responsible for being transparent about it.
5. Photos, Videos, and Livestream Pages
Websites often host galleries, sermon recordings, or livestreams. To handle these well:
- Be clear that services or events may be photographed or recorded
- Get consent where individuals are clearly identifiable
- Take extra care with children and vulnerable adults
- Make it easy for someone to ask for content to be removed
It’s a good idea to include media information in your privacy policy and near livestream pages.
So what should I do right now?
- Check your privacy policy and make sure it's up to date
- Make sure your privacy policy makes sense, get a non-technical person to read it and see if they understand it
- Do a cookie audit on your site using a tool like cookiebot to see what cookies your site uses
- Make sure that if you do use cookies, your site lets people know that
Final Thoughts
A GDPR-compliant church website doesn’t need to feel cold or corporate. Done well, it shows care, transparency, and respect for the people visiting your site.
By keeping your forms simple, your explanations clear, and your data handling sensible, your website can support your church’s mission while looking after people’s information properly.