17%

Last updated: March 2026

When AI systems crawl a business website, they may read more than just product descriptions and service pages. Policy pages — privacy policies, cookie notices, terms of service — are part of a site's trust infrastructure. A policy dated 2019 does not just raise compliance questions; it may also signal to automated systems that a website has not been actively maintained. In a spot-check of UK SME websites conducted in March 2026, roughly 1 in 6 had privacy or cookie policies carrying clearly outdated dates.

---

TL;DR

• 4 out of 24 UK SME websites checked (17%) had privacy or cookie policies with visibly outdated dates
• The oldest policy found was dated April 2019 — approximately 7 years old at the time of checking
• That 2019 policy predates key updates to GDPR enforcement guidance, cookie consent regulation, and the emergence of AI-powered search
• Privacy policies sit at standard URL paths (/privacy, /privacy-policy) that AI crawlers routinely access
• Outdated policies may act as a negative freshness signal — suggesting a site is not being actively maintained
• GDPR compliance requirements have evolved since 2019; an old policy may no longer reflect current practice

---

Why Privacy Policies Matter Beyond Compliance

Privacy policies are a legal requirement under UK GDPR for any organisation collecting personal data. But their function on a website extends beyond compliance. They are one of the few pages that carry an explicit date, a stated contact address, a description of business practices, and a declaration of organisational responsibility.

For AI systems building a picture of a business, this combination of structured, dateable content may carry weight as a trust and freshness signal. AI-powered search tools — including large language model search features, AI overviews, and business intelligence systems — increasingly attempt to assess whether a source is current, accurate, and maintained.

A privacy policy dated several years ago may, in that context, function similarly to a certificate with an expired date or a "last updated" timestamp from a previous decade: it suggests the page — and potentially the wider site — has not been reviewed recently.

This is not a proven causal mechanism. But it is a plausible one, and it operates on pages that are both publicly accessible and frequently crawled.

---

What We Found

Overall Finding

In a spot-check of 24 UK SME websites carried out in March 2026, 4 sites (17%) had privacy or cookie policies with dates that were clearly outdated — either by virtue of predating significant regulatory changes, or by being more than one year old.

Finding	Count	Share
Sites with clearly outdated privacy/cookie policies	4	17%
Sites with policies dated 2019 or earlier	1	4%
Sites with policies dated 2024 (12+ months old)	3	13%

Date Distribution of Outdated Policies Found

Policy date	Approximate age at time of check	Industry
April 2019	~7 years	Health and fitness
July 2024	~8 months	Professional services (accountancy)
July 2024	~8 months	Trades (plumbing)
December 2024	~3 months	Professional services (accountancy)

Note: The July 2024 and December 2024 entries are included because their age, combined with the volume of regulatory and AI-search changes in that period, makes them potentially material. The April 2019 entry is the most notable by a significant margin.

---

Anonymised Examples

A Health and Fitness Business: April 2019

The oldest policy found belonged to a personal trainer operating a small business website. The privacy policy was dated April 2019.

April 2019 precedes:

• The ICO's updated guidance on cookies and consent (2019–2020)
• The UK's post-Brexit adaptation of GDPR into UK GDPR (2021)
• Multiple ICO enforcement actions and revised compliance guidance (2021–2025)
• The widespread emergence of AI-powered search and AI crawlers (2023 onwards)
• Revised ICO guidance on data subject rights, legitimate interests, and retention periods (various, 2022–2025)

A policy written in that environment may describe practices, third-party processors, or legal bases that have since changed. It may also omit references to technologies — including AI tools — that were not in common commercial use at the time.

Whether or not the underlying data practices have been updated, a 7-year-old date on a public-facing policy page is a visible signal that the document itself has not been reviewed.

Two Professional Services Businesses: July 2024

Two separate businesses — one an accountancy firm, one a plumbing company — had privacy policies dated July 2024, making them approximately 8 months old at the time of checking.

This is a shorter gap but still notable in sectors where client trust and compliance credibility are part of the service proposition. For an accountancy firm in particular, a privacy policy that predates recent ICO guidance updates may carry reputational considerations beyond the technical compliance question.

A Second Accountancy Firm: December 2024

A further accountancy firm had a policy dated December 2024 — approximately 3 months old. This is the least severe of the four findings, but it is included for completeness and because it represents an industry (financial and professional services) where data handling policies are a client-facing trust signal.

---

What Businesses Can Consider

Policy page maintenance is unlikely to be a primary SEO or AI-visibility lever. But it may be a marginal one, and it is also a straightforward compliance task. The following are worth considering:

Review the date on your privacy policy. If it is more than 12 months old, check whether the content still accurately reflects your data practices, your third-party processors, and your stated legal bases for processing.

Check the URL path your policy lives on. Standard paths (/privacy, /privacy-policy, /cookie-policy) are crawled routinely. If the page exists and carries an old date, that date is visible to automated systems.

Consider whether your policy references current realities. A policy written before widespread use of analytics tools, marketing automation platforms, or AI-assisted business tools may not accurately describe what data you now collect or how you process it.

Update the "last reviewed" or "last updated" date when you review — not just when you change. Many businesses update their practices without updating the document. If the policy has been reviewed and remains accurate, noting a review date maintains the freshness signal without requiring substantive rewrites.

Seek professional advice on compliance. This article is observational. For formal guidance on UK GDPR compliance, consult a qualified data protection advisor or review current ICO guidance at ico.org.uk.

---

Methodology

This analysis is based on a manual spot-check of 24 UK SME websites selected from web search results across nine industries, conducted in March 2026. Industries included health and fitness, accountancy, trades, retail, hospitality, and professional services.

For each site, the privacy policy and/or cookie policy page was located — typically via footer links or direct URL paths (/privacy, /privacy-policy, /cookie-policy). The visible "last updated" or policy date was recorded where present.

Sites were not selected to produce a particular finding. Selection was based on search result prominence for generic local business terms. The sample is small and not statistically representative of the broader population of UK SME websites.

Findings are observational. No causal claims are made about the effect of policy dates on search performance, AI visibility, or compliance outcomes.

---

FAQ

What counts as an "outdated" privacy policy?

There is no single agreed definition. For the purposes of this article, a policy was considered clearly outdated if it was dated more than 12 months before the date of checking, or if its date predated significant regulatory changes (particularly post-Brexit UK GDPR implementation in 2021 or earlier ICO guidance updates). A 7-year-old policy is unambiguously outdated; a policy from July 2024 is more of a grey area, noted here in the context of sector expectations.

Is having an old privacy policy illegal?

Not automatically. UK GDPR requires that you have a privacy notice that is accurate and accessible — it does not specify how frequently it must be dated or updated. However, if your practices have changed and your policy no longer reflects them, that may constitute a compliance issue. The ICO's guidance is the authoritative source on this.

Do AI systems actually read privacy policies?

AI crawlers and large language model training pipelines typically crawl publicly accessible pages, including policy pages. Whether a specific AI system uses policy dates as a ranking or trust signal is not publicly documented in detail. The framing in this article is that it is plausible and worth considering — not that it has been proven.

What should my privacy policy include in 2026?

At minimum, a UK GDPR-compliant privacy notice should identify the data controller, explain what data is collected and why, state the legal basis for processing, describe data subject rights, and provide contact details for the data controller and the ICO. ICO guidance at ico.org.uk is the definitive reference for current requirements.

How often should a privacy policy be reviewed?

The ICO recommends reviewing your privacy notice whenever your data processing activities change. Many organisations also conduct an annual review as a matter of good practice, updating the "last reviewed" date even if no substantive changes are made. This creates a visible record that the document is being maintained.

Does this apply to cookie policies as well?

Yes. Cookie consent requirements under the Privacy and Electronic Communications Regulations (PECR) have evolved since 2019, and the ICO has published updated guidance on what constitutes valid consent. A cookie policy or cookie banner implementation that predates this guidance may not reflect current requirements.

Is a stale privacy policy a signal to AI that a business is untrustworthy?

"Untrustworthy" is too strong a word. A more measured framing is that an old policy date may contribute to a picture of a site that is not actively maintained. AI systems attempting to assess source quality may weigh multiple signals together. A stale policy date is unlikely to be determinative on its own, but it could be one of several marginal factors.

What industries are most affected?

This sample was too small to draw industry-level conclusions. Anecdotally, the findings in this check included health and fitness and accountancy — sectors where data handling is inherent to the client relationship. But policy staleness is a general SME issue, not an industry-specific one.

---

Disclaimer: The findings in this article are observational and based on a small, non-representative sample of 24 UK SME websites. No causal relationship is claimed between privacy policy dates and any specific compliance, search, or AI-visibility outcome. This article is not legal advice. For guidance on UK GDPR compliance, consult a qualified data protection professional or the Information Commissioner's Office (ico.org.uk).

Related: How AI search reads business websites | What signals does AI use to assess a business? | UK SME website trust signals: what we found

Want to understand how these trends affect your business?

Start Your AI Visibility Review