Why It Matters
A privacy policy is not just a legal formality โ it's a mandatory transparency obligation under GDPR, CCPA, HIPAA, and virtually every data protection law. Having no privacy policy, or having an inaccurate one, is itself a violation. Regulators have fined companies for privacy policies that were too vague, too complicated, or simply wrong. It's also a trust signal for customers and a requirement for using many third-party services (Google Ads, Apple App Store, payment processors).
What to Include (GDPR Requirements)
GDPR Articles 13 and 14 require specific disclosures:
- Identity and contact details of the data controller
- DPO contact details (if applicable)
- Categories of personal data collected
- Purposes and legal basis for each type of processing
- Legitimate interests pursued (if relying on this legal basis)
- Recipients or categories of recipients of the data
- International transfers โ whether data goes outside the EEA, and safeguards in place
- Retention periods โ how long you keep each type of data
- Data subject rights โ access, rectification, erasure, restriction, portability, objection
- Right to withdraw consent โ how and when
- Right to lodge a complaint with a supervisory authority
- Automated decision-making โ if you use profiling, explain the logic and consequences
- Source of data โ if not collected directly from the individual
CCPA/CPRA Additions
If you serve California consumers, also include:
- Categories of personal information collected in the past 12 months
- Categories of information sold or shared and to whom
- "Do Not Sell or Share My Personal Information" link
- How consumers can exercise their rights
- Financial incentive programs (if any)
Common Mistakes
- Copy-pasting another company's policy without customizing
- Legal jargon โ must be written in "clear and plain language" (GDPR Article 12)
- Not updating after changes to data practices
- Hidden or hard to find โ must be easily accessible (one click from any page)
- Overly broad purposes โ "to improve our services" is not specific enough
- Missing retention periods โ GDPR requires you to state how long data is kept
- No versioning โ keep dated versions showing when updates were made
Best Practices
- Layered approach โ short summary at the top, detailed sections below
- Last updated date โ visible and accurate
- Version history โ maintain records of previous versions
- Accessible โ available in all languages you serve, readable on mobile
- Linked from every page โ typically in the footer
- Regular review โ at least annually, and whenever processing changes
Key Regulation
- GDPR Articles 12โ14 โ transparency and information obligations
- CCPA/CPRA ยงยง 1798.100, 1798.130 โ privacy policy requirements
- ePrivacy Directive โ cookie and tracking disclosure requirements
- Children's privacy โ COPPA (US), GDPR Article 8 โ additional requirements for children's data