Privacy Policy Guide: What Your Website Legally Needs in 2026
Quick Answer
- *Every website that collects personal data — including email addresses, cookies, or analytics — is legally required to have a privacy policy under GDPR, CCPA, and platform policies.
- *A compliant policy covers 7 required sections: what data you collect, how you use it, third-party sharing, cookies, user rights, retention periods, and contact information.
- *CCPA fines reach $7,500 per intentional violation. GDPR fines can hit 4% of global annual revenue or €20 million, whichever is higher.
- *An AI generator produces a solid compliant baseline in under 60 seconds — then review it with an attorney if you handle sensitive data.
Why Every Website Legally Needs a Privacy Policy
If your site uses Google Analytics, a contact form, an email newsletter, or even basic server logs, you are collecting personal data. That triggers legal obligations in multiple jurisdictions — simultaneously.
Here is the enforcement landscape you are operating in:
- General Data Protection Regulation (GDPR): Applies to any business processing data of EU residents, regardless of where the business is located. Maximum fine: €20 million or 4% of global annual revenue. As of 2024, EU data protection authorities had issued over €4.5 billion in GDPR fines since enforcement began in 2018 (IAPP GDPR Enforcement Tracker, 2024).
- California Consumer Privacy Act (CCPA): Applies to for-profit businesses that meet revenue or data volume thresholds and serve California residents. Fines: $2,500 per unintentional violation, $7,500 per intentional violation. The California Privacy Protection Agency (CPPA) began active enforcement in 2023.
- Children's Online Privacy Protection Act (COPPA): U.S. federal law covering any site that knowingly collects data from children under 13. The Federal Trade Commission (FTC) can impose penalties up to $51,744 per violation per day (FTC, 2023).
- Platform requirements: Google AdSense, Apple App Store, and Google Play all require a publicly accessible privacy policy as a condition of use. Violating this gets your account or app removed.
According to a Pew Research Center survey (2023), 79% of U.S. adults are concerned about how companies use their data. A clear, honest privacy policy builds trust as well as compliance.
7 Required Sections in Every Privacy Policy
No single template works for every business, but every compliant privacy policy must address these seven areas. Missing any of them creates regulatory exposure.
1. What Data You Collect
List every category of personal data you collect: names, email addresses, IP addresses, device identifiers, cookies, location data, payment information, behavioral data (pages visited, time on site), and any sensitive categories (health, financial). Be specific — vague language like “we may collect certain information” does not satisfy GDPR or CCPA requirements.
2. How You Use the Data
Explain each purpose: fulfilling orders, sending newsletters, improving the product, personalizing content, fraud prevention, legal compliance. Under GDPR, you must identify a lawful basis for each purpose (consent, contract performance, legitimate interest, legal obligation, vital interests, or public task).
3. Third-Party Sharing
Disclose every third party that receives personal data: payment processors, email platforms, analytics tools, advertising networks, cloud hosting providers, customer support software. CCPA requires you to disclose whether you “sell” personal data — and the CCPA definition of “sell” is broader than most people expect, covering some data sharing arrangements that are not cash transactions.
4. Cookies and Tracking Technologies
Describe the types of cookies you use (essential, analytics, marketing), what they do, how long they persist, and how users can opt out or manage them. EU and UK law require prior consent for non-essential cookies. A cookie banner alone is not sufficient without an accessible policy explaining what each cookie does.
5. User Rights and How to Exercise Them
GDPR grants eight rights: access, rectification, erasure, restriction of processing, data portability, objection, rights related to automated decision-making, and the right to withdraw consent. CCPA grants rights to know, delete, opt out of sale, and non-discrimination. Your policy must state these rights and provide a clear method to exercise them (email address, web form, toll-free number for CCPA-covered businesses).
6. Data Retention
State how long you keep personal data and your criteria for determining retention periods. “We keep data as long as necessary” is not sufficient under GDPR. Specific timelines or clear criteria (e.g., “account data is deleted 90 days after account closure”) are required.
7. Contact Information
Provide a name (or role), email address, and mailing address for privacy inquiries. GDPR requires identifying a Data Controller and, for businesses with a European presence, a Data Protection Officer (DPO) if applicable. CCPA requires a toll-free phone number or web form for requests to know or delete.
GDPR vs CCPA: Key Differences
| Factor | GDPR (EU/UK) | CCPA (California) |
|---|---|---|
| Who it covers | Any business processing EU/UK resident data | For-profit businesses above revenue/data thresholds serving CA residents |
| Consent model | Opt-in required for most processing | Opt-out rights for data sales |
| Maximum fine | €20M or 4% of global revenue | $7,500 per intentional violation |
| User rights | 8 rights including portability | Right to know, delete, opt out, non-discrimination |
| Response deadline | 1 month (extendable to 3) | 45 days (extendable to 90) |
| Breach notification | 72 hours to supervisory authority | No fixed timeline (varies by state law) |
Most U.S.-based websites need to address both, since serving any EU visitor triggers GDPR obligations and California is the most populous U.S. state. Writing a policy that satisfies both simultaneously is straightforward with a good template.
Statistics That Underscore Why This Matters
- The EU issued 1,743 GDPR fines totaling over €4.5 billion between May 2018 and December 2024 (IAPP GDPR Enforcement Tracker, 2024).
- The largest single GDPR fine: €1.2 billion against Meta Platforms in May 2023 for transferring EU user data to the U.S. without adequate safeguards (Irish Data Protection Commission, 2023).
- The FTC brought $375 million in COPPA-related settlements in 2022 alone, including a $150 million action against YouTube (FTC, 2022).
- California's CPPA completed its first enforcement sweep in 2023, sending notices to businesses in the mobile app space for CCPA violations including inadequate opt-out mechanisms (CPPA, 2023).
- 83% of consumers want more control over their data and say companies should be more transparent (Pew Research Center, 2023).
How to Keep Your Privacy Policy Current
A privacy policy is not a set-it-and-forget-it document. Here is when you must update it:
- New data collection: You add a web form, chatbot, login system, or any new input that captures personal data.
- New third-party tools: You integrate a new analytics platform, CRM, ad network, or payment processor. Each one is a new data sharing relationship that must be disclosed.
- Change in data use: You start using existing data for a new purpose (e.g., using purchase history for targeted advertising when you previously only used it for order fulfillment).
- Regulatory changes: New state laws go into effect (Virginia's CDPA, Colorado's CPA, Texas TDPSA, etc.). The U.S. privacy law landscape is fragmented and growing.
- Annual review: At a minimum, review your policy once per year even if nothing major changed.
When you make material changes under GDPR, you must notify affected users and, if the legal basis changes, re-obtain consent. A version history or “last updated” date is required.
Where to Display Your Privacy Policy
Visibility matters. Regulators look at whether a policy is genuinely accessible, not just technically present. Display your privacy policy link in:
- The site footer on every page
- Sign-up, registration, and checkout flows (near the submit button)
- Any web form that collects personal data
- Your cookie consent banner (linked, not just mentioned)
- Your app store listing (Apple App Store, Google Play both require it)
- Your Google AdSense account settings (required for ad serving)
- Email opt-in confirmation messages
Generate a compliant privacy policy in under 60 seconds
Use our free AI Privacy Policy Generator →Also useful: our guide on privacy policy requirements overview
Related Tools and Guides
Privacy policies often go hand in hand with other legal and compliance documents. These resources may also be useful:
- ATS-Friendly Resume Guide — if you're hiring, you may collect applicant data that requires disclosure
- Self-Employment Tax Guide — solo operators face GDPR and CCPA obligations too
- AI Business Name Generator — starting a new business that will need compliance documents
- AI Meta Description Generator — surface your privacy-first positioning in search results
Frequently Asked Questions
Do I legally need a privacy policy for my website?
Yes, if you collect any personal data — including email addresses, cookies, or analytics — you are legally required to have a privacy policy under GDPR (EU), CCPA (California), COPPA (children's data), and the policies of Google AdSense, Apple App Store, and Google Play. Fines for non-compliance can reach $7,500 per violation under CCPA.
What are the required sections of a privacy policy?
Every compliant privacy policy needs 7 core sections: (1) what data you collect, (2) how you use it, (3) third-party sharing, (4) cookies and tracking, (5) user rights and opt-out, (6) data retention period, and (7) contact information. GDPR also requires a lawful basis for each processing activity.
What is the difference between GDPR and CCPA?
GDPR applies to any business that processes data of EU residents, regardless of where the business is located. CCPA applies to for-profit businesses in California or those serving California residents above certain revenue thresholds. GDPR requires opt-in consent for most data processing; CCPA requires opt-out rights for data sales. Both require transparency about what data you collect.
Can I use a free privacy policy generator?
Yes — a free generator creates a solid legal baseline covering the 7 required sections, cookie disclosures, and user rights language. However, for businesses handling sensitive health or financial data, or operating in heavily regulated industries, having an attorney review the output is advisable. The hakaru AI Privacy Policy Generator produces GDPR- and CCPA-aligned policies in under 60 seconds.
How often should I update my privacy policy?
Update your privacy policy whenever you add a new data collection method, integrate a new third-party service (analytics, advertising, payment), change how you use existing data, or when major regulations change. At minimum, review it annually. Under GDPR, you must notify users of material changes and re-obtain consent if the legal basis changes.
Where should I display my privacy policy?
Your privacy policy must be easily accessible. Place a link in the site footer, on any form that collects personal data, on your sign-up and checkout pages, and in your app store listing. Google requires a link in AdSense account settings. Apple requires the URL in your App Store Connect listing. Buried or hard-to-find policies can still result in regulatory action.