There are data protection laws that govern how a website operator can collect and use personal information. For example, the law says that individuals must be fully and properly informed about what personal information you are collecting and how it will be used. Failure to comply with these laws can lead to large fines or worse.
There is no law that says a website operator has to have a privacy policy. However, a privacy policy is commonly used by website operators to help them comply with data protection laws by setting out how personal data might be collected, the purposes for which it will be used, where it will be stored and for how long.
The content of your Privacy Policy should therefore reflect:
the current legal requirements in relation to the use of personal information.
how you intend to use any personal information collected (within the confines of the law of course).
Information Commissioner’s Office
The regulator of data protection in England and Wales, the Information Commissioner’s Office (ICO), has given some guidance on privacy policies. In the past, the ICO has been quite critical of lengthy policies which do not adequately communicate how personal information will be collected or is to be used.
The existence of a privacy policy alone does not meet all data protection law requirements but, if well written, it is certainly part of a useful armoury for the website operator.
Useful links to guidance offered by the ICO:
Personal information online code of practice: https://ico.org.uk/media/for-organisations/documents/1591/personal_information_online_cop.pdf
Privacy Notices code of practice: https://ico.org.uk/media/for-organisations/documents/1610/privacy_notices_cop.pdf
Privacy in mobile apps – Guidance for app developers: https://ico.org.uk/media/for-organisations/documents/1596/privacy-in-mobile-apps-dp-guidance.pdf