What a Privacy Policy Actually Does
A privacy policy is a public document that explains how a website collects, uses, stores, and shares personal data. Every major data protection law - the GDPR, CCPA, LGPD, PIPEDA, POPIA, and UK GDPR - requires one. The terminology differs (the GDPR calls it a "privacy notice", California regulators refer to it as "notice at collection"), but the core obligation is the same: tell people what happens to their data before you start processing it.
Getting it wrong is expensive. The Irish DPC fined WhatsApp EUR 225 million in 2021 for failing to explain its data processing practices clearly enough. In 2025, TikTok received a EUR 530 million fine from the same authority, with EUR 45 million attributed specifically to transparency failures in its privacy notice. Vague or incomplete privacy policies trigger enforcement action.
Required Disclosures Under GDPR (Articles 13 and 14)
The GDPR sets the most detailed requirements. Articles 13 and 14 list specific elements that must be disclosed depending on whether data is collected directly from the individual or from another source. Article 12 requires this information to be concise, transparent, and easily accessible.
Under Article 13, the policy must include:
| Required Element | What to Include |
|---|---|
| Controller identity and contact details | Full legal name, address, and email of the entity responsible for data processing |
| DPO contact | Contact details for the Data Protection Officer, if one is appointed |
| Purposes and legal basis | Why data is processed and which of the six legal bases applies to each purpose |
| Legitimate interests | If relying on legitimate interest, the specific interests pursued |
| Recipients | Categories of third parties who receive personal data |
| International transfers | Whether data is transferred outside the EU/EEA, and which safeguards are in place |
| Retention periods | How long data is kept, or the criteria used to determine that period |
| Data subject rights | The right to access, rectify, erase, restrict, object, and port data |
| Right to withdraw consent | If processing is based on consent, how to withdraw it |
| Right to lodge a complaint | The right to complain to a supervisory authority |
| Automated decision-making | Whether profiling or automated decisions are made, and the logic involved |
Article 14 adds two requirements for data obtained from third-party sources: the categories of data collected and the source of origin.
What CCPA and CPRA Require in the US
California's privacy framework takes a different approach. Rather than listing legal bases, the CCPA (as amended by the CPRA) requires businesses to disclose specific categories of information. As of 2026, the California Privacy Protection Agency has finalised new regulations covering automated decision-making technology, cybersecurity audits, and risk assessments - all of which may need to be reflected in your privacy policy.
A CCPA-compliant privacy policy must list the categories of personal information collected in the preceding 12 months, explain the business purpose for each, and identify the categories of third parties with whom data is shared, sold, or disclosed. The CPRA treats cross-context behavioural advertising as a form of sharing, even if no money changes hands.
Businesses must also describe the consumer rights available under the law, provide instructions for submitting data requests, and include a link to the "Do Not Sell or Share My Personal Information" mechanism. Penalties for non-compliance now reach up to $7,988 per intentional violation.
Key Elements Every Privacy Policy Should Cover
Regardless of which laws apply to your site, certain topics belong in every privacy policy. Omit any of them and you risk both regulatory penalties and lost visitor trust.
Who You Are
State the full legal name of the data controller (or "business" under CCPA terminology), a physical or registered address, and a working email address. If you have appointed a Data Protection Officer, include their contact details separately.
What Data You Collect and How
List every category of personal data your site processes - information provided directly (names, emails, payment details) and data collected automatically through cookies, tracking pixels, and server logs. Name specific cookie types (_ga, _fbp, PHPSESSID) or group them by function: necessary, functional, analytics, and marketing.
Why You Process It
Link each data category to a clear purpose. "Improving our services" is too vague. State that browsing data measures page performance, email addresses send order confirmations and marketing newsletters (separately), and payment data processes transactions.
Who Receives the Data
Identify the categories of third parties: payment processors, email service providers, advertising networks, hosting providers, analytics platforms. If you use Google Analytics or Facebook Pixel, name them. Under the GDPR, disclose whether data is transferred outside the EEA and what safeguards apply.
How Long You Keep It
State concrete retention periods where possible. "We retain order data for six years to comply with tax reporting obligations" is far better than "we keep data as long as necessary". The CPRA requires specific timeframes or a clear methodology - vague language does not satisfy the requirement.
User Rights and How to Exercise Them
For EU residents, list the rights to access, rectification, erasure, restriction, data portability, and objection. For California residents, cover the rights to know, delete, correct, and opt out of sale/sharing. Provide a practical mechanism - a dedicated email or DSAR form - for exercising these rights.
Cookies, Consent, and Your Privacy Policy
Cookies deserve their own section - or, better yet, a separate cookie policy linked from your privacy policy. Under Article 5(3) of the ePrivacy Directive, dropping any cookie that is not strictly necessary requires informed, prior consent. Your privacy policy should explain which cookies your site uses, what each category does, and how visitors can manage their preferences through your consent management platform.
The French CNIL has been particularly aggressive on this front. In 2025, it fined SHEIN EUR 150 million for placing advertising cookies before users could consent, and imposed a combined EUR 325 million penalty on Google for deceptive cookie consent mechanisms in Gmail. The lesson: your privacy policy's cookie disclosures must match what your site actually does.
Multi-Jurisdiction Compliance: One Policy or Many?
If your website serves visitors from multiple regions, you do not necessarily need separate privacy policies. A single, well-structured policy can satisfy the GDPR, UK GDPR, CCPA, LGPD, PIPEDA, and other frameworks simultaneously - provided it covers the strictest requirements from each.
One practical approach is a layered structure: a short summary at the top covering the essentials, followed by detailed sections for each jurisdiction. Some organisations add jurisdiction-specific tabs or expandable sections for California residents, EEA residents, and Brazilian data subjects.
| Requirement | GDPR | CCPA/CPRA | LGPD | PIPEDA |
|---|---|---|---|---|
| Legal basis for processing | Required | Not required | Required | Not required |
| Categories of data collected | Required | Required (12-month lookback) | Required | Required |
| Retention periods | Required | Required (specific timeframes) | Required | Required |
| Data subject rights | 8+ rights | 6+ rights | 9+ rights | Access and correction |
| Opt-out mechanism | Right to object | "Do Not Sell/Share" link | Right to revoke consent | Withdrawal of consent |
| DPO/representative contact | Required if DPO appointed | Not required | DPO (encarregado) required | Privacy officer recommended |
| International transfers | Required with safeguards | Not specifically required | Required with safeguards | Required (Principle 1) |
Common Mistakes That Attract Regulatory Attention
Regulators have made clear what they consider unacceptable. Avoid these pitfalls:
Using vague language. Phrases like "we may collect" or "we might share" introduce deliberate ambiguity. The EDPB flagged qualifiers such as "may", "might", and "often" as purposefully vague and inappropriate for privacy notices.
Copy-pasting a template without adapting it. A privacy policy must reflect actual data processing activities. If the policy claims no third-party sharing but the site loads Facebook Pixel, a cookie scan exposes the discrepancy immediately.
Hiding the policy. The ICO states that a privacy policy should be accessible via a direct link from every page. The GDPR requires that where personal data is collected online, the notice must appear on the same page where collection occurs.
Failing to update. The EDPB guidelines require controllers to communicate substantive changes - a new processing purpose, a change in controller identity - to data subjects directly, not just by quietly updating a web page.
How to Keep Your Privacy Policy Current
Run a cookie scan regularly to check whether the cookies and trackers on your site match what your policy describes. New plugins, analytics tools, or embedded content can introduce cookies you did not plan for. The scheduled scanning feature in a CMP can automate this process.
Review the policy whenever you change data processors, add a new integration, or expand to a new market. Keep a version history at the bottom noting the date and scope of each change - it demonstrates good faith and simplifies regulatory enquiries.
Frequently Asked Questions
Is a privacy policy legally required for every website?
If your website collects any personal data - including through cookies, contact forms, analytics, or user accounts - a privacy policy is required under the GDPR, CCPA, LGPD, PIPEDA, and most other data protection laws. Even a simple blog running Google Analytics collects IP addresses, which counts as personal data under the GDPR.
What is the difference between a privacy policy and a cookie policy?
A privacy policy covers all personal data processing on your website, while a cookie policy focuses specifically on which cookies and tracking technologies your site uses, what they do, and how visitors can control them. Many websites combine both into a single document, though having a separate cookie policy can improve clarity.
How often should a website privacy policy be updated?
Review your privacy policy at least quarterly and update it whenever you add new data processing activities, change third-party providers, expand to new markets, or alter your data retention practices. The EDPB expects controllers to notify users of substantive changes directly rather than relying on visitors to check for updates.
Can one privacy policy cover both GDPR and CCPA requirements?
Yes. A single privacy policy can satisfy multiple frameworks by addressing the strictest requirements from each law. Use jurisdiction-specific sections (such as "For California Residents" or "For EEA Residents") to cover rights and obligations unique to each region.
What happens if my privacy policy does not match my actual data practices?
A mismatch between your stated policy and actual practices is a transparency violation under the GDPR and can constitute a deceptive business practice under the CCPA. Regulators can and do audit websites to check whether disclosed cookies and data flows match reality. Fines for transparency failures have reached hundreds of millions of euros.
Do small websites with low traffic need a privacy policy?
Yes. The GDPR applies regardless of website size or traffic volume. If you process the personal data of EU residents - even one visitor - the transparency obligations under Articles 13 and 14 apply. The CCPA has revenue and data-volume thresholds, but the GDPR does not.
Where should the privacy policy be placed on a website?
Make it accessible from every page, typically via a footer link labelled "Privacy Policy". If you collect data on a specific page (such as a sign-up form or checkout), link to the policy on that page as well. The GDPR requires the notice to be provided at the point of data collection.
Get Your Privacy Policy Right From the Start
If you are unsure which cookies and trackers your website sets, start with a scan. Kukie.io detects first-party and third-party cookies, categorises them automatically, and generates a cookie policy that stays in sync with what your site actually does - so your privacy disclosures stay accurate without manual audits.
