How to Create a Privacy Policy for Your Website (2026)

If your website collects any user data — even just analytics tracking — you almost certainly need a privacy policy. And in 2026, with GDPR fines now routinely exceeding €10 million and CCPA enforcement ramping up, getting this right matters more than ever.

A privacy policy is a legally required document that explains what data you collect, how you use it, how you protect it, and what rights users have over it.

Table of Contents

---

Why a Privacy Policy Is Legally Required

You almost certainly collect personal data. Even if you don't ask users to sign up or enter payment information, your website likely:

  • Uses Google Analytics, Facebook Pixel, or other analytics tools (IP addresses are personal data under GDPR)
  • Sets cookies
  • Has a contact form that collects names and email addresses
  • Processes payments (collecting card data, billing addresses)
  • Uses remarketing pixels for advertising

Under multiple overlapping laws, collecting any of this data without a privacy policy violates the law. The "I didn't know" defense does not reduce penalties.

Platform requirements. Google requires apps in the Play Store to have privacy policies. Apple requires it for App Store apps. If you run Google Ads, Meta Ads, or similar ad networks, they require a privacy policy to remain eligible.

---

Privacy Laws That Require It

General Data Protection Regulation (GDPR)

  • Applies to: Any website that processes personal data of people in the EU/EEA, regardless of where your business is located
  • Key requirements: Lawful basis for processing, data subject rights (access, deletion, portability), breach notification within 72 hours
  • Fines: Up to 4% of global annual turnover or €20 million, whichever is higher
  • "Personal data" is broadly defined: Includes IP addresses, cookie identifiers, email addresses, location data, and any information that can identify a person

California Consumer Privacy Act (CCPA) / CPRA

  • Applies to: For-profit businesses that collect California residents' personal data AND meet one of: >$25M annual revenue; buy/sell/receive/share 100,000+ consumers' personal information annually; derive 50%+ of revenue from selling personal information
  • Key requirements: Disclose what data you collect, purpose of collection, disclosure to third parties; honor "Do Not Sell My Personal Information" requests; right to deletion
  • Fines: $2,500 per violation (unintentional), $7,500 per violation (intentional)

Children's Online Privacy Protection Act (COPPA)

  • Applies to: Any website that knowingly collects personal information from children under 13, or any general audience site that should reasonably know it collects children's data
  • Requirements: Verifiable parental consent before collecting data from children; cannot condition participation on providing more info than necessary
  • Fines: Up to $51,744 per violation

State Privacy Laws (2024-2026)

As of 2026, the following states have comprehensive consumer privacy laws:
  • California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Florida (FDBR), Montana, Indiana, Iowa, Tennessee, Oregon, and others
  • These laws generally follow GDPR's framework but with different thresholds and rights

---

What Your Privacy Policy Must Include

1. What Data You Collect

List every category of personal information you collect:
  • Information you receive directly: Name, email, address, phone, payment card details
  • Information collected automatically: IP address, browser type, device identifiers, cookies, page visit data
  • Information from third parties: Social login data, advertising partner data, purchased lists

2. How You Collect It

Describe the collection methods:
  • Forms (contact forms, signup forms, checkout)
  • Cookies and tracking technologies
  • Third-party services (analytics, advertising pixels, payment processors)
  • Social login (Google, Facebook, Apple sign-in)
Explain the purpose for each type of data. GDPR additionally requires you to state the lawful basis for processing:
  • Consent: User explicitly agreed
  • Contract: Necessary to fulfill a contract with the user
  • Legitimate interests: Your business interests that don't override user rights
  • Legal obligation: Required by law

4. How You Use the Data

Describe what you do with collected data:
  • Provide and improve services
  • Process payments
  • Send marketing emails (if opted in)
  • Run analytics
  • Comply with legal obligations

5. Who You Share It With

List all third parties that receive user data:
  • Analytics providers (Google Analytics, Mixpanel)
  • Payment processors (Stripe, PayPal)
  • Advertising platforms (Meta, Google)
  • Cloud infrastructure (AWS, Google Cloud)
  • Email providers (Mailchimp, SendGrid)
  • CRM systems (HubSpot, Salesforce)

For GDPR, if you transfer data outside the EU/EEA, you must disclose the safeguards (Standard Contractual Clauses, adequacy decision).

6. Data Retention

How long do you keep personal data? You cannot keep data indefinitely without justification. Common retention periods:
  • Transaction records: 7 years (tax requirements)
  • Account data: Duration of account + reasonable period for disputes
  • Marketing lists: Until user unsubscribes, then reasonable period

7. User Rights

Depending on applicable law, users may have the right to:
  • Access: Request a copy of their data
  • Correction: Fix inaccurate data
  • Deletion: Request erasure ("right to be forgotten" under GDPR)
  • Portability: Receive data in a machine-readable format
  • Opt-out of sale: (CCPA)
  • Object to processing: (GDPR)

Describe how users can exercise these rights and your response timeline (GDPR requires response within 1 month).

8. Cookies

If you use cookies, explain:
  • Types of cookies used (essential, functional, analytics, marketing)
  • What each cookie does and how long it persists
  • How users can manage or opt out of cookies

9. Contact Information

Include how to contact you with privacy questions:
  • Business name and address
  • Contact email
  • For GDPR: EU/UK representative or Data Protection Officer (if required)

10. Last Updated Date

Your privacy policy must include when it was last updated. Notify users of material changes.

---

Step-by-Step: How to Write a Privacy Policy

Step 1: Audit your data collection. Before writing anything, map every touchpoint where you collect personal data. Include third-party services you've integrated (even a single Google Analytics snippet counts).

Step 2: Identify applicable laws. Where are your users? If you have EU users, GDPR applies. If you're a for-profit with California users, check CCPA thresholds. If you might have users under 13, COPPA applies.

Step 3: Draft your disclosure for each data category. For each type of data: what you collect, how, why, how long you keep it, and who you share it with.

Step 4: Write in plain English. Privacy policies full of legal jargon give users the impression you're hiding something and are increasingly targeted by regulators as "deceptive." GDPR explicitly requires policies to be "concise, transparent, intelligible, and in an easily accessible form."

Step 5: Address user rights clearly. Don't bury the process for exercising rights. Include a dedicated section with clear instructions.

Step 6: Add your cookie section. If you use Google Analytics or Meta Pixel, your cookie use must be specifically disclosed. Consider a cookie consent banner for EU users.

Step 7: Post it prominently. Link to your privacy policy in:

  • Your website footer
  • Your signup/checkout forms ("By submitting, you agree to our Privacy Policy")
  • Your cookie consent banner
  • Your marketing emails

Step 8: Review annually. Privacy laws change. Data collection practices change. Your privacy policy should be reviewed at least once a year and updated when material changes occur.

---

Special Requirements for Specific Situations

E-commerce sites: PCI DSS compliance for payment card data handling; specific state laws about data breach notification timelines.

SaaS / B2B: In addition to your public privacy policy, your customer contracts typically include a Data Processing Agreement (DPA) — required for GDPR compliance when you process your customers' users' data.

Mobile apps: Apple and Google both require privacy policies and additional disclosures (app store privacy labels, nutrition labels). Apple's App Tracking Transparency (ATT) framework requires explicit permission for cross-app tracking on iOS.

Advertising / AdSense: Google AdSense and similar networks require your privacy policy to disclose the use of third-party advertising cookies and the use of interest-based advertising.

---

Common Mistakes to Avoid

Copying another site's privacy policy verbatim. This is both legally ineffective (their policy doesn't describe your data practices) and potentially plagiarism.

Writing a policy that doesn't match your actual practices. A privacy policy that says you don't sell data when you actually sell data to advertisers creates significant legal exposure.

Not linking to it prominently. A privacy policy buried in a sitemap doesn't satisfy notice requirements. It must be accessible from every page (typically in the footer) and linked from any form where personal data is collected.

Forgetting about third-party services. Your payment processor, analytics tool, and email marketing service all receive personal data. They must be disclosed.

Using old templates. A privacy policy written in 2019 likely doesn't address CCPA, CPRA, or the new state privacy laws that came into force in 2023-2024.

---

Frequently Asked Questions

Q: Do I need a privacy policy if I only use Google Analytics? A: Yes. Google Analytics collects IP addresses (which are personal data under GDPR) and uses cookies. This triggers disclosure obligations under GDPR and, for applicable US businesses, under CCPA. Google also contractually requires publishers using its services to have and maintain a privacy policy.

Q: What's the difference between a privacy policy and a cookie policy? A: A privacy policy broadly covers all personal data collection. A cookie policy specifically addresses cookies — what types you use, what they do, and how users can opt out. Under GDPR, cookie disclosures can be part of your privacy policy or a standalone document.

Q: How often do I need to update my privacy policy? A: Review it at least annually and whenever you make material changes to your data practices — such as adding a new analytics tool, starting to sell data, launching a new product, or when a relevant new law comes into effect.

Q: Do I need a privacy policy even if I don't collect emails? A: Almost certainly yes. If your website has any analytics tracking (including server logs, which record IP addresses), social sharing buttons, or embedded third-party content (YouTube videos, Google Maps), you're likely collecting personal data.

Q: Can I use a privacy policy generator instead of hiring a lawyer? A: For most small businesses without complex data practices, a quality privacy policy generator produces legally sufficient output. For companies handling sensitive data (health, finance, children's data), significant EU/UK user bases, or operating under HIPAA or PCI DSS, attorney review is recommended.

---

Ready to create your privacy policy? Use our free generator:

Privacy Policy Generator · Terms of Service Generator · Cookie Policy Generator