Global · Last reviewed April 2026

Sole traders and freelancers: which privacy laws apply to you?

GDPR, UK GDPR, CCPA, and PIPEDA obligations for self-employed individuals — with statutory citations and a practical compliance checklist.

P
PrivacyLawApplies.com Editorial Team
CAMS · AIGP (IAPP) · Reviewed April 2026
Important: being self-employed does not exempt you from privacy law

If you collect, store, or use personal data of clients, contacts, or website visitors — even in a spreadsheet — you may have obligations under GDPR, UK GDPR, CCPA, or other privacy laws.

Do privacy laws apply to sole traders?

Yes — with some important nuances. GDPR and UK GDPR apply to any "controller" that processes personal data — the law does not provide an exemption for sole traders or micro-businesses.

The key triggers that bring a freelancer within scope of privacy law include:

  1. 1
    You have a client database (name, email, address, invoice history = personal data)
  2. 2
    You have a website with contact forms, cookies, or analytics
  3. 3
    You send marketing emails to prospects
  4. 4
    You use cloud software (Gmail, Notion, Xero, HubSpot) that stores client data
  5. 5
    You have a mailing list

However, the purely personal/household exemption in Art. 2(2)(c) GDPR excludes processing "by a natural person in the course of a purely personal or household activity." If you run a professional service, this exemption does not apply.

GDPR Art. 2(2)(c) — household exemptionGDPR Art. 4(7) — definition of controller

GDPR and UK GDPR for freelancers

If you have clients in the EU/EEA or UK — even as a US-based or Australian-based freelancer — GDPR and/or UK GDPR apply to you. The regulation has extra-territorial scope: it applies based on where your clients are located, not where you are based.

Practical obligations for freelancers under GDPR and UK GDPR:

Publish a privacy notice on your website

Even a single page covering: who you are, what data you collect, the lawful basis, retention periods, and how to make a data subject request.

Art. 13 GDPR
Establish a lawful basis for client data

For client data collected in the course of delivering services, the lawful basis is typically performance of a contract.

Art. 6(1)(b) GDPR
Establish a lawful basis for marketing emails

For newsletters or marketing, use opt-in consent for new prospects. Legitimate interests may apply for existing clients.

Art. 6(1)(a) and (f) GDPR
Respond to access requests within one calendar month

If a client or contact requests access to their data, you must respond within one month. Keep a record of requests and your responses.

Art. 12(3) GDPR
Use a compliant email provider

If you use a US-based tool (Mailchimp, Klaviyo), you may need Standard Contractual Clauses or DPF certification to be in place for transfers to the US.

GDPR Art. 46
UK ICO registration

If based in the UK, you must pay the data protection fee (£40–£60 for micro-businesses) unless exempt. Exemptions include processing only for core business purposes or only data about your own staff or suppliers.

UK Data Protection (Charges and Information) Regulations 2018

CCPA for freelancers

The California Consumer Privacy Act applies to for-profit businesses that meet specific thresholds. CCPA applies if your business meets any one of the following:

1
Revenue threshold
Annual gross revenue over $26.625 million
2
Data volume threshold
Annually buy, sell, receive, or share for commercial purposes personal information of 100,000 or more consumers or households
3
Revenue from data
Derive 50% or more of annual revenue from selling consumers' personal information

Most freelancers and sole traders will not meet these thresholds. However, if you have a California-based client list and your business crosses the threshold, CCPA applies.

Importantly, California breach law has no threshold. Cal. Civ. Code §1798.82 applies to any person or business that maintains personal information of California residents — there is no minimum revenue or data volume requirement.

Cal. Civ. Code §1798.140(d) — definition of businessCal. Civ. Code §1798.82 — breach notification

PIPEDA for Canadian freelancers

PIPEDA (Personal Information Protection and Electronic Documents Act) applies to private-sector organisations in Canada that collect, use, or disclose personal information in the course of commercial activities. There is no size threshold — PIPEDA applies regardless of revenue or the number of employees.

A sole trader or freelancer in Canada who maintains a client list, sends invoices, or uses a website contact form is likely subject to PIPEDA. This includes obligations to:

  • Obtain consent before collecting personal information
  • Limit collection to what is necessary for identified purposes
  • Allow individuals to access their personal information on request
  • Protect personal information with appropriate security safeguards

Quebec-based freelancers are subject to Quebec Law 25 instead of PIPEDA for intra-provincial activities. Quebec Law 25 is generally considered more stringent than PIPEDA and imposes additional requirements including mandatory privacy impact assessments for certain technology projects.

PIPEDA s.4(1)PIPEDA s.26(2)(b)

Practical checklist for freelancers

Six steps to establish a basic privacy compliance framework as a sole trader or freelancer.

  1. 1
    Add a privacy notice to your website
    Even a simple one-page notice covering: who you are, what data you collect, why you collect it, and how to contact you for access requests.
    GDPR Art. 13
  2. 2
    Get a lawful basis for your email list
    If you send newsletters or marketing, use opt-in consent for new subscribers. For existing clients, legitimate interests may apply.
    GDPR Art. 6(1)(a)–(f)
  3. 3
    Check your cookie setup
    If your website uses Google Analytics or any tracking, you need a cookie consent banner for EU/UK visitors.
    ePrivacy Directive Art. 5(3)
  4. 4
    Review your cloud tools
    Gmail, Notion, Dropbox, Xero, and similar tools process client personal data on your behalf. Check their GDPR compliance and that they have appropriate Data Processing Agreements available.
    GDPR Art. 28
  5. 5
    Respond to access requests
    If a client asks to see their data or requests deletion, you must respond within one calendar month under GDPR. Keep a record of requests and responses.
    GDPR Art. 12(3)
  6. 6
    UK freelancers — register with the ICO
    If you're a UK sole trader processing personal data beyond your own household, you likely need to register and pay the ICO data protection fee (from £40/year). Check ico.org.uk/registration.
    UK Data Protection (Charges and Information) Regulations 2018

The household exemption — when does it apply?

The GDPR household exemption (Art. 2(2)(c)) excludes processing by natural persons for purely personal or household purposes. This does not apply to professional activities. The key test is whether the activity is commercial, professional, or directed at a broad group beyond personal contacts.

Household exemption — examples
Exempt
Storing personal contact details of personal friends for social purposes
NOT exempt
Maintaining a client database for your consultancy work
Exempt
Using a website contact form to run a personal blog with no commercial purpose
NOT exempt
Running a freelance web design business with a contact form
GDPR Art. 2(2)(c) — household exemption

Frequently asked questions

Does GDPR apply to one-person businesses?

Yes. GDPR applies to any "controller" — a natural or legal person that determines the purposes and means of processing personal data. A sole trader who processes clients' personal data is a controller under GDPR. The regulation contains no exemption based on business size or number of employees.

Do I need to register with the ICO as a freelancer?

If you are based in the UK and process personal data in the course of business, you likely need to register with the ICO and pay the data protection fee (from £40/year for micro-businesses). Certain exemptions apply — for example, if you only process data about your own staff and suppliers. Check the ICO self-assessment tool at ico.org.uk.

Do I need a privacy policy as a freelancer?

Yes, if you have a website that collects any personal data (including via contact forms, cookies, or analytics). Under GDPR Art. 13, you must provide a privacy notice at the point of data collection. This does not need to be a long document — a simple, clear notice covering data categories, purposes, lawful basis, and contact details is sufficient.

Does CCPA apply to freelancers?

Typically no, because most freelancers do not meet CCPA's business thresholds (over $26.625M revenue, or processing 100,000+ California consumer records, or 50% revenue from data sales). However, California's general data breach notification law (§1798.82) applies to any business that maintains personal information of California residents, with no size threshold.

What is the simplest way to comply with GDPR as a freelancer?

Three key steps: (1) add a short privacy notice to your website; (2) only collect and retain the personal data you actually need; (3) use compliant tools — email providers, cloud storage, and CRMs that offer GDPR-compliant data processing agreements. The ICO has a free small business guide at ico.org.uk/for-organisations/sme-web-hub/.

Related privacy law guides

GDPR
EU/EEA
View guide →
UK GDPR
United Kingdom
View guide →
CCPA
California, USA
View guide →

Find out which privacy laws apply to your business

Answer 13 questions and get a personalised privacy law checklist with statutory citations — covering GDPR, CCPA, PIPEDA, and more for freelancers and sole traders.

Start free assessment →