How to Write a Privacy Policy for Your Website

Do I legally need a privacy policy?

Yes - in most cases. Under GDPR (which applies to any website with EU visitors, regardless of where the business is based), a privacy policy is legally mandatory if you collect any personal data. Under the California Consumer Privacy Act (CCPA), businesses serving California residents must disclose their data practices. In Australia, Canada, Brazil, and most other countries, data privacy laws impose similar obligations. Even if none of these laws technically apply to you, most advertising networks, app stores, and payment processors require a privacy policy as a condition of using their service.

What must a privacy policy include?

A complete privacy policy should address all of the following points. You do not need dense legal language - plain, clear English is better and often preferred by regulators.

• Who you are - your business name, contact email, and website URL.
• What personal data you collect - name, email address, phone number, payment details, IP address, cookies, location data, and any other data you collect.
• Why you collect it - the specific purposes: responding to enquiries, processing payments, sending newsletters, website analytics.
• How you collect it - directly from users (forms, registrations) or automatically (cookies, analytics scripts).
• Who you share it with - payment processors, email marketing platforms, analytics providers, hosting services.
• How long you keep it - your data retention policy.
• How you protect it - the security measures you use (HTTPS, access controls, etc.).
• User rights - the right to access, correct, delete, or export their data (required under GDPR).
• How to contact you with data requests.
• How and when you will update the policy.

GDPR requirements for privacy policies

The General Data Protection Regulation (GDPR) applies to any business that processes personal data of people located in the EU or UK, regardless of where the business itself is based. A GDPR-compliant privacy policy must include the legal basis for processing each type of data (consent, legitimate interest, contract performance, or legal obligation), the data subject rights listed below, and contact details for your Data Protection Officer if you have one.

• Right of access - users can request a copy of all personal data you hold about them.
• Right to rectification - users can request correction of inaccurate data.
• Right to erasure (right to be forgotten) - users can request deletion of their data.
• Right to restriction - users can ask you to pause processing their data.
• Right to data portability - users can request their data in a machine-readable format.
• Right to object - users can object to processing based on legitimate interests.
• Right to withdraw consent - where processing is based on consent, users can withdraw it at any time.

CCPA requirements for privacy policies

The California Consumer Privacy Act applies to for-profit businesses that serve California residents and meet at least one of: annual gross revenue above $25 million; buying, selling, or sharing personal information of 100,000 or more consumers or households per year; or deriving 50% or more of annual revenue from selling personal information. CCPA-covered businesses must disclose what categories of personal information they collect and why, whether they sell personal information (and if so, provide an opt-out), and how California residents can submit data deletion requests.

How to handle cookies in your privacy policy

If your website uses cookies - including third-party cookies from Google Analytics, Facebook Pixel, or advertising networks - you must disclose this in your privacy policy. Describe each type of cookie you use (essential, analytics, marketing), what data each one collects, and how users can opt out or disable cookies. Under GDPR, you also need a cookie consent banner for non-essential cookies before they are set.

Third-party services to disclose

Any third-party service that receives personal data from your website must be named in your privacy policy. Common ones include:

• Google Analytics - collects anonymised usage data about how visitors use your site.
• Facebook Pixel - tracks conversions and builds advertising audiences.
• Stripe or PayPal - processes payment information directly.
• Mailchimp, ConvertKit, or Klaviyo - stores email addresses and engagement data.
• Intercom, HubSpot, or Zendesk - stores customer interaction data.
• Cloudflare, AWS, or other hosting providers - may process data in their infrastructure.

Where to publish your privacy policy

Your privacy policy must be easily accessible. As a minimum, link to it from your website footer on every page. Also link to it from any form that collects personal data (contact form, newsletter signup, checkout page), your cookie consent banner, and any app store listings if you have a mobile app. The link text should be clear: 'Privacy Policy' is standard and what users expect to find.

How often should you update it?

Update your privacy policy whenever your data practices change - for example, when you add a new analytics tool, change payment processors, start collecting new types of data, or expand into a new market. Update the effective date at the top of the document whenever you make changes, and for significant changes, notify users directly if you hold their contact details. A good practice is to review it at least once a year.

Generate a free privacy policy

The Privacy Policy Generator on this site builds a complete, customised privacy policy based on your business details, the data you collect, your cookie usage, and your jurisdiction. It covers GDPR, CCPA, and standard data privacy requirements. Download as PDF, copy as plain text, or print directly from your browser - no signup required.