A Website Privacy Policy is a statement for an organization or entity that outlines how their site collects and uses customer or client data. It establishes practices for collecting, using, disclosing, protecting, and managing personal information. Any website that collects user data needs to have a Privacy Policy.

You might ask users to accept the Privacy Policy before they use your site. Asking allows users to consent and agree to the site collecting their personal information.

A Privacy Policy also includes information about cookies. Cookies are data stored on users’ computers that help improve their browsing experience.

All Privacy Policies will differ, but most will contain a few standard sections. Here is some of the information that you should include in your policy:

• What data your site collects from your users
• When your site collects the data
• How you use the data you collect
• If your site uses cookies
• Who else has access to the data collected, such as third-party advertisers or business partners
• How your site protects user data from misuse
• How your site upholds legal responsibilities regarding data use
• If your site can sell user data to other enterprises
• How users can hold your site responsible for the misuse of their data
• How the user can opt out of data sharing and what impact that might have on their experience

Personal user data, sometimes called personally identifiable information (PII), is any information that identifies an individual.

For example, a user’s state and postal code don’t necessarily count as personal data because they identify a large group of people, not the individual. On the other hand, a full name and date of birth clearly identify an individual.

Different legislations will vary in their definition of personally identifiable information, so you should familiarize yourself with what applies to your site. Some of the personal user data that your site can collect include:

• Name, age, and date of birth
• Physical, email, and IP addresses
• Phone numbers
• Marital status
• Race, nationality, or ethnic origin
• Credit information
• Medical, education, or employment history
• Travel history
• Intentions to purchase goods or services

Your site can collect personal user data through cookies or when the user makes an action, such as signing up or registering for the website, making an online purchase, or filling out forms and surveys.

There isn’t a sole comprehensive law in the United States requiring you to create a Privacy Policy. Instead, multiple overlapping laws cover specific areas, industries, or user bases. 

Some factors that can affect whether or not your site has to follow particular laws include:

• Location of your organization
• Location of your users
• Age of your users
• Annual gross revenue of the organization
• Number of users
• Percentage of users located in the state
• Type of personal information you collect

Websites must follow laws in the areas where they have users. For example, if your site has users in EU countries, it must follow the General Data Protection Regulations.

Sites with users under 13

The Children’s Online Privacy Protection Rule (COPPA) protects the information of users below 13 years of age. If your site collects information from these users, you must mention this in your Privacy Policy. 

You must notify parents about how you collect and use children's information and obtain parental consent before collecting a child's personal information.

States with privacy laws

Many states have their own privacy regulations. These laws often give users more control of their data, letting them take a more active role in the data-gathering process. 

Because privacy laws are constantly changing and expanding, you should do your best to stay up to date on the rules and regulations affecting your site. Remember that most state laws apply to sites with users in the state. 

California

The California Consumer Privacy Act (CCPA) was enacted in 2020 and amended by the California Privacy Rights Act (CPRA) in 2023. However, the scope of the act is limited. Your site has to follow the CCPA if it meets one or more of the following criteria:

• Has annual gross revenues of over $25 million
• Processes personal information of at least 50,000 California users
• Derives 50% or more of its annual revenues from selling California residents' personal information

If your site doesn’t meet any of these criteria but has users in California, you must follow the guidelines of a different act: the California Online Privacy Protection Act (CalOPPA). This legislation is similar to the CCPA but less broad in its definitions and the rights afforded to users. 

Colorado

The Colorado Privacy Act applies to commercial organizations that target Colorado residents. Your site must comply with this act if it processes the personal information of at least 100,000 consumers annually or sells the personal information of 25,000 users or more annually.

Connecticut 

Organizations with users in Connecticut might have to follow the Connecticut Personal Data Privacy and Online Monitoring Act. This act applies to sites that meet one of the following two criteria:

• Processes the personal information of at least 100,000 Connecticut residents annually, excluding information processed exclusively to complete a payment transaction
• Processes the personal information of at least 25,000 Connecticut residents and derives more than 25% of its gross annual revenues from the sale of personal data annually

Delaware 

The Delaware Personal Data Privacy Act comes into effect in January 2025. The act applies to sites that do business or target users within the state and meet one of the following criteria:

• Processes personal data of at least 35,000 Delaware residents annually, excluding data processed exclusively to complete a payment transaction
• Processes personal data of at least 10,000 Delaware residents annually and derives more than 20% of its gross revenue from the sale of personal data 

Indiana

Indiana’s privacy act, the Indiana Consumer Data Protection Act, comes into effect in January 2026. It applies to organizations that do business or target users within the state and meet one of the following:

• Processes personal information of at least 100,000 Indiana residents annually
• Processes personal information of at least 25,000 Indiana residents annually and derives more than 50% of annual gross revenue from the sale of personal data

Iowa 

In January 2025, the Iowa Consumer Data Protection Act comes into effect. This act applies to organizations that do business or target users within the state and meet one of the following criteria:

• Processes personal data of at least 100,000 Iowa residents annually
• Processes personal data of at least 25,000 Iowa residents annually and derives over 50% of its gross annual revenue from the sale of personal data 

Kentucky

The Kentucky Consumer Data Protection Act comes into effect in January 2026. This act applies to organizations that do business or target users within the state and meet one of the following criteria:

• Processes personal data of at least 100,000 Kentucky residents annually
• Processes personal data of at least 25,000 Kentucky residents annually and derives over 50% of its gross annual revenue from the sale of personal data 

Maryland 

The Maryland Online Data Privacy Act applies to organizations that do business or target users within the state. Your site must comply with this act if it meets one of the following:

• Processes personal information of at least 35,000 Maryland residents annually, excluding information processed exclusively to complete a payment transaction
• Processes personal information of at least 10,000 Maryland residents annually and derives more than 20% of its gross annual revenue from the sale of personal data

The act comes into effect in October 2025.

Minnesota 

If your organization does business or targets users in Minnesota, you might have to comply with the Minnesota Consumer Data Privacy Act. The act comes into effect in July 2025 and applies to organizations that meet one of these two criteria:

• Processes personal data of at least 100,000 Minnesota residents annually, excluding data processed exclusively to complete a payment transaction
• Processes personal data of at least 25,000 Minnesota residents annually and derives more than 25% of its gross revenue from the sale of personal data 

Montana 

The Montana Consumer Data Privacy Act applies to organizations that do business or target users within the state and meet one of the following:

• Processes the personal data of at least 50,000 Montana residents annually, excluding data processed exclusively to complete a payment transaction
• Processes the personal data of at least 25,000 Montana residents annually and derives more than 25% of its gross annual revenue from the sale of personal data

Nebraska 

The Nebraska Data Privacy Act will come into effect in January 2025. It applies to any organization that:

• Conducts business within the state or offers products or services to Nebraska residents
• Processes or engages in the sale of personal data 
• Is not considered a small business under the federal Small Business Act or is a small business that sells sensitive personal information

New Hampshire 

New Hampshire’s privacy law, Senate Bill 225, will come into effect in January 2025. This law applies to organizations that do business or target users in the state and meet one of the following criteria:

• Processes personal data of at least 35,000 New Hampshire residents annually, excluding data processed exclusively to complete a payment transaction
• Processes personal data of at least 10,000 New Hampshire residents and derives more than 25% of its gross annual revenue from the sale of personal data annually

New Jersey 

New Jersey’s Senate Bill 332 will come into effect in January 2025. This act applies to organizations that do business or target users within the state and meet one of the following criteria:

• Processes personal data of at least 100,000 New Jersey residents annually, excluding data processed exclusively to complete a payment transaction
• Processes personal data of at least 25,000 New Jersey residents annually and derives revenue or a discount on goods from the sale of personal data

Oregon 

The Oregon Consumer Privacy Act came into effect in 2024. This act applies to organizations that do business or target users within the state and meet one of the following criteria:

• Processes personal data of at least 100,000 Oregon residents annually, excluding data processed exclusively to complete a payment transaction
• Processes personal data of at least 25,000 Oregon residents and derives more than 25% of its gross annual revenue from the sale of personal data annually

Rhode Island 

The Rhode Island Data Transparency and Privacy Protection Act applies to organizations that do business in or provide products or services to users within the state and meet one of the following criteria:

• Processes personal data of at least 35,000 Rhode Island residents annually, excluding data processed exclusively to complete a payment transaction
• Processes personal data of at least 10,000 Rhode Island residents and derives more than 20% of its gross annual revenue from the sale of personal data annually

The act comes into effect in January 2026.

Tennessee 

The Tennessee Information Protection Act comes into effect in July 2025. The act applies to organizations that:

1. Do business within the state
2. Targets Tennessee residents
3. Has an annual gross revenue of more than $25 million
4. Meet one of the following criteria:
   
   • Processes the personal information of 25,000 or more Tennessee residents and derives more than 50% of its gross annual revenue from the sale of personal data annually
   • Processes personal data of at least 175,000 Tennessee residents annually

Texas

Texas passed its Data Privacy and Security Act in 2024. The act applies to any organizations that:

• Conducts business within the state or offers products or services used by Texas residents
• Processes or engages in the sale of personal data 
• Is not considered a small business under the federal Small Business Act or is a small business that sells sensitive personal information 

Utah 

The Utah Consumer Privacy Act of 2023 applies to any organization that:

1. Does business or targets their products or services to users in Utah
2. Has an annual revenue of $25,000,000 or more
3. Meets one of the following criteria:
   
   • Processes the personal information of at least 100,000 Utah residents annually 
   • Processes the personal information of at least 25,000 Utah residents annually and derives more than 50% of its gross annual revenue from the sale of personal data

Virginia 

If your organization does business or targets users in Virginia, you might have to comply with the Virginia Consumer Data Protection Act. This act applies to organizations that do business or target users within the state and meet one of the following criteria:

• Processes personal data of at least 100,000 Virginia residents annually
• Processes personal data of at least 25,000 Virginia residents annually and derives over 50% of its gross annual revenue from the sale of personal data 

International laws

Many countries have legislation for web privacy. 

Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to commercial organizations that process Canadians' personal information.

The act builds upon ten fair information principles. These principles establish how personal information can be collected, used, and disclosed within the private sector. They also give individuals control over how their personal information is used.

European Union

If your site collects data from users within the EU, you must comply with the General Data Protection Regulation (GDPR). This legislation is deemed the world's toughest privacy and security law, levying harsh fines against those who violate its standards. 

The act outlines seven principles as foundations for its requirements:

1. Lawfulness, fairness, and transparency: The processing of personal data must be lawful, fair, and transparent.
2. Limitation of purpose: The purpose of the data collection must be specified, explicit, and legitimate.
3. Data minimization: Personal data collection must be adequate, relevant, and limited to what is necessary for the purpose for which the data is collected and processed.
4. Accuracy of data: Personal data must be accurate and kept up to date.
5. Storage limitations: Personal data must be kept no longer than is necessary.
6. Data integrity and confidentiality: Personal data must be processed in a secure manner.
7. Accountability: Organisations must take accountability for complying with these principles.

The GDPR also enshrines eight rights for individuals. These rights allow users more control over their own data, including the right to be forgotten and the right to object.

Note that if you’re a non-EU-based business targeting EU citizen's data, you may be required to appoint a representative in the EU.

United Kingdom

You must comply with the United Kingdom Data Protection Act (DPA) if your site processes users' personal information in England, Scotland, Wales, or Northern Ireland.

The DPA is based on the EU’s GDPR, which enshrines the same seven data protection principles and eight rights for individuals. In most cases, if your site complies with one GDPR, it will also usually comply with the other.

Privacy Policies are legally binding if a user agrees or consents to them.

In many cases, by using your site and giving you their data, the user consents to you storing and using it. This consent creates a binding agreement between you and the user. 

Likewise, you must follow your site’s Privacy Policy because it is a binding agreement. Not doing so can count as deceptive practices.

LawDepot’s simple and accessible questionnaire makes creating a unique policy for your site easy. Your custom Privacy Policy should include the following information:

1. Site information 

Different types of sites will have to meet different requirements. State what kind of site you’re creating a policy for. You can use our template for:

• Blogs
• E-commerce or online shops (including Shopify)
  Wix or Squarespace sites
• News or media sites
• Portfolios
• Other websites

Users often look to a Privacy Policy to learn more about the site. In addition to the domain name and the full name of the website owner, the policy must also include contact information, such as a phone number, email address, and physical address. The website owner can be an individual or a business.

2. Scope of business

This section of the policy will describe where you have users and which regional regulations your site has to follow.

General Data Protection Regulation (GDPR)

Suppose your site monitors the online behavior of UK or EU users or offers them products or services. In that case, you must comply with the United Kingdom Data Protection Act (DPA) or the General Data Protection Regulation (GDPR).

California Business

Suppose your site is a for-profit business that collects the personal information of California consumers and meets the criteria set out by the California Consumer Privacy Act (CCPA). In that case, you’ll have to clarify what personal information your site collects and where the information comes from.

The CCPA requires you to add specific sections if you have disclosed or sold personal information in the last 12 months. This portion should include:

• Which third parties the information was sold or disclosed to 
• What categories of personal information were disclosed or sold
• The purpose for disclosing or selling the information 

If your site processes or sells children's personal information, you must describe how you obtain consent from parents or guardians. You should also mention whether you sell or disclose de-identified protected patient health information protected by the Health Insurance Portability and Accountability Act. 
 
Lastly, you must provide a section to let your users know where to go for certain user requests. California users have the right to:

• Opt out of the sale of their personal information
• Request access to their personal information
• Request deletion of their personal information

3. Details on data

The main portion of your Privacy policy will be about the data you collect and process. These sections cover how you collect the information, who can access it, and what you do with it.

Lawful basis for data processing

The GDPR demands that your site have legal justification for processing personal data in the EU. In short, you need to explain why your site can legally access users’ data.

The lawful basis can be one or more of the following reasons:

• Consent from users
• Processing is necessary to pursue your legitimate interests, and a user's interests or fundamental rights do not override your legitimate interests
• Processing is necessary to fulfill a contract
• You have a legal obligation to process user personal data
• A life depends on you processing users' personal data
• Processing is necessary to carry out a task that is in the public interest

Automatic data collection

If your site automatically collects data when users access it, you must clarify what data this includes. This can include information like IP addresses, location, and content viewed. You also need to explain how you use this data.

Non-automatic data collection

Some websites will collect data when users perform certain functions, like filling out a form, signing up for a newsletter, or paying for a product. Your Privacy Policy must mention what types of data are collected non-automatically. You will also need to explain how you collect and use the information.

Third-party disclosure

Many sites share personal user information with third-party organizations. This includes, among other things, sharing data with Google Ads or Amazon for targeted advertising.

If third parties can collect, process, or access the user data your site collects, you need to include this in your Privacy Policy. You must mention who the third parties are, what data they have access to, and why they have this access.

Automated decision making

Automated decision-making means any decision made without human involvement. Often, sites that make automated decisions rely on user profiling. Examples of these decisions are exams or tests with pre-programmed algorithms and criteria, loan approval, and automated trading.

You must disclose if your site relies solely on automated decision-making to make decisions about users that can significantly affect them. You must also list what decisions your site uses automated decision-making for, the criteria, and how the decisions will affect users.

Online tracking

Websites often track users’ online activities over time and across third-party websites, which can be helpful for user profiling and targeted ads. Any site that tracks user activity must mention this in its Privacy Policy. 

Some web browsers have a “Do Not Track” setting that, when enabled, can stop sites from tracking user behavior. While your site isn’t legally prohibited from tracking users who have this setting enabled, you must be transparent about your practices. Your Privacy Policy must inform users whether your site listens to the “Do Not Track” setting.

Opt-out option

Users of your site have legally protected rights, and one of these is the right to opt out of data collection for direct marketing purposes. For example, if you send newsletters or marketing emails to users, you need to provide an unsubscribe button. 

Your Privacy Policy needs to list what collection, use, or disclosure users can opt out of and how they can do so. 

Data retention and security 

You must inform your users how long your site retains their data. You can keep it until its purpose has been met or specify a retention period. You also need to describe the security measures you take to protect user data.

International data transfers

In cases of international data transfer, where your site sends personal user data to another country, you must inform users where their data travels.

If you transfer the personal data of EU citizens outside the EU, you must ensure an equivalent level of data protection in the recipient country. If the recipient country doesn’t have an EU adequacy agreement, you might have to implement additional safeguards.

4. Data protection officer and privacy officer

A data protection officer (DPO) ensures that your organization processes personal data in compliance with data protection rules.

The GDPR requires that you appoint a DPO if your organization is one or more of the following:

• A public body or authority
• Regularly and systematically monitoring EU individuals' personal data on a large scale
• Involved in large-scale processing of personal data related to criminal convictions and offenses, ethnic origin, political opinions, religious beliefs, or health data

If your organization doesn’t meet the above requirements, you can still voluntarily appoint a DPO. Note that the GDPR sets out very specific requirements for this role that you and your organization must follow.

Organizations without a DPO should appoint a privacy officer (PO). Your organization’s PO will be responsible for most privacy-related matters, including creating privacy policies, performing privacy assessments, and responding to personal data breaches.

Your Privacy Policy must contain the contact information for your DPO or PO.

5. Complaints

Most EU countries have supervisory bodies where users can lodge complaints if a site isn't complying with the GDPR. Your Privacy Policy must list the supervisory bodies of the countries where you have users.

6. Child users and collection of data

Specific rules apply for collecting and processing children's personal information. Depending on where your users are located, you will need to follow different guidelines. 

GDPR

The GDPR demands that you get parental consent before collecting information from children under 16. You can collect this consent by, for example, adding a consent form to your site.

If your site contains content aimed at children, the GDPR also requires you to make your Privacy Policy accessible and understandable for them. 

COPPA

In the United States, websites that collect personal information from or contain content aimed at children under 13 must follow the Children’s Online Privacy Protection Act (COPPA).

In these cases, your Privacy Policy must contain the following information:

• What personal information you collect from children
• How you collect personal information from children
• If children can make their personal information publicly available on your site
• How you use children’s personal information 
• Whether you disclose children’s personal information to third parties, which third parties you disclose the information to, and how the third party uses that information
• Whether any third parties collect children’s personal information from your website

Parents or guardians might have questions about your privacy policy and your use of children’s information. Your Privacy Policy must list contact information for where guardians can turn to get the necessary answers.

In cases where sites collect information from children under 13, guardians have rights over their children’s data. Your Privacy Policy should list how guardians can exercise their rights, for example, by contacting your site via email to request access to or deletion of the information.

7. Cookie policy

Cookies are small pieces of data stored on user computers. These bits of data help websites remember information about users, which can improve user experience.

You can include a cookie policy that lists what types of cookies your sites use. There are three different types of cookies:

• Functional cookies remember user preferences and settings. They help enhance the performance of websites.
• Analytical cookies, also called performance cookies, track site visitors and user behaviors. They help monitor site performance.
• Targeting cookies build user profiles and targeted ads. They are shared with advertisers so that ad performance can be monitored.

Your site can also use third-party cookies for targeted advertising and web tracking. If you use any third-party cookies, you should mention what they’re used for.

8. Additional details 

The last sections of your Privacy Policy should include any other information you want to add about how your website manages users’ personal information. You can also choose to set an effective date.

Terms and Conditions and Privacy Policies are both essential documents covering different aspects of security for your website and users. 

Privacy Policies are often legally required to protect users. On the other hand, Website Terms and Conditions help protect your site by setting rules and conditions for its use. While not required, creating Terms and Conditions for your website is a legally smart choice. 

With a properly written set of Terms and Conditions, you can outline prohibited behaviors, establish the website’s conditions, and describe any guarantees, return policies, limits on your site's liability, and dispute resolution processes. 

Use LawDepot’s Terms and Conditions template to ensure you’re covering all your bases when it comes to protecting yourself, limiting your site’s liability, and communicating rules and responsibilities to users.

No, you don’t need a lawyer to create your Privacy Policy. However, consulting a lawyer can help ensure your document meets your organization’s needs and follows the appropriate laws. 

Web privacy is a constantly changing and evolving field. Between changes to legislation and new technologies, your Privacy Policy will need regular and recurring revisions. 

Best practice suggests reviewing and updating your Privacy Policy annually. However, if your website is experiencing certain changes, you don’t have to wait. By being proactive and keeping your policy up-to-date, you can minimize risks and protect yourself and your users. 

Notable changes that may require you to update your policy include:

• Implementing a new method of gathering data
• Altering how your company uses data
• Sharing data with new third-parties 
• New laws regulating personal data come into effect
• If a breach happens or there is a security threat

Remember to notify your users when you update your Privacy Policy so they can be aware of the changes. In some cases, legislation requires you to inform users before the changes come into effect.