Every privacy policy should include these 12 sections:
- Types of personal data collected
- How data is collected (methods and sources)
- Purpose for each type of data use
- Legal basis for processing (required by GDPR)
- Third-party data sharing and recipients
- Cookie and tracking technology disclosure
- Data retention periods
- User rights (access, deletion, correction, portability)
- Children's privacy protections
- International data transfers
- Security measures
- Contact information for the data controller
The exact requirements depend on which laws apply to your website or app. GDPR, CCPA, COPPA, CalOPPA, and PIPEDA each have specific disclosure mandates. Missing even one required section can make your entire policy non-compliant.
12 Essential Sections Every Privacy Policy Must Include
A detailed breakdown of each required section.
A privacy policy is not a single block of text. It is a structured document with distinct sections, each addressing a specific legal requirement. Omitting any section can make the entire policy non-compliant. Here is what each section must contain and why it matters.
1. Types of Personal Data Collected
List every category of personal data your website or app collects. This includes obvious data like names, email addresses, and phone numbers, but also less obvious data like IP addresses, browser fingerprints, device identifiers, geolocation data, and behavioral data from analytics. Under GDPR, even a cookie identifier is personal data. Under CCPA, categories include identifiers, commercial information, internet activity, geolocation, audio/visual data, professional information, and inferences drawn from other data. Be specific. 'We collect personal information' is insufficient. You must list exactly what types of data you collect.
2. How Data Is Collected
Describe every method through which you collect personal data. Common methods include: forms (contact, sign-up, checkout), cookies and tracking technologies, analytics scripts (Google Analytics, Plausible), server logs, third-party integrations (social login, payment processors), user account creation, API calls, and mobile device sensors. Users need to understand not just what data you collect, but how it reaches you. A user who fills out a form understands that data exchange. A user whose IP address is logged by an analytics script may not.
3. Purpose of Data Use
For each category of data, explain why you collect and process it. Legitimate purposes include service delivery, account management, payment processing, customer support, analytics and performance improvement, marketing communications (with consent), fraud prevention, legal compliance, and personalization. GDPR Article 5(1)(b) requires that data be collected for specified, explicit, and legitimate purposes. Vague statements like 'to improve our services' are not sufficient. State the specific improvement: 'to analyze page load times and optimize site performance.'
4. Legal Basis for Processing (GDPR)
Under GDPR, you must identify a lawful basis for each processing activity. The six legal bases are: consent (user actively opts in), contract performance (processing is necessary to fulfill an agreement), legitimate interest (your business interest, balanced against user rights), legal obligation (required by law), vital interest (protecting someone's life), and public task (official authority). Most websites rely on consent for marketing, contract performance for service delivery, and legitimate interest for analytics. You must specify which basis applies to each type of processing. This section is mandatory under GDPR but also demonstrates good practice for CCPA and other laws.
5. Third-Party Data Sharing
Disclose every third party that receives user data. Organize by category: analytics providers (Google Analytics, Mixpanel), payment processors (Stripe, PayPal), advertising partners (Google Ads, Meta Pixel), email service providers (Mailchimp, SendGrid), hosting providers (AWS, Vercel), CDN services (Cloudflare), and any other data processors. For each category, state the purpose of sharing and whether data is transferred outside the user's jurisdiction. CCPA requires you to state whether you 'sell' or 'share' personal information as defined by the law. GDPR requires you to name categories of recipients.
6. Cookie and Tracking Disclosure
Detail every cookie and tracking technology your site uses. For each cookie, disclose: its name, purpose (essential, analytics, marketing, functional), duration (session or persistent and how long), and whether it is first-party or third-party. Under the ePrivacy Directive and GDPR, you must obtain consent before setting non-essential cookies. Common cookies to disclose include Google Analytics (_ga, _gid), session cookies, login tokens, preference cookies, and advertising cookies. Many sites include a cookie table for clarity. This section can be part of the privacy policy or a separate cookie policy linked from the main document.
7. Data Retention Periods
State how long you retain each category of personal data. GDPR Article 5(1)(e) requires that data be kept no longer than necessary for the purposes for which it is processed. Typical retention periods: account data is kept for the duration of the account plus a defined period after deletion (e.g., 30 days), transaction records are kept for the legally required period (often 7 years for tax purposes), analytics data is kept for 14 to 26 months, server logs are kept for 30 to 90 days, and marketing consent records are kept for the duration of consent plus a documentation period. 'We retain data as long as necessary' is not specific enough.
8. User Rights
List every right users have under applicable laws and explain how to exercise each one. Under GDPR: right of access, rectification, erasure ('right to be forgotten'), restriction of processing, data portability, objection, and rights related to automated decision-making. Under CCPA: right to know, right to delete, right to correct, right to opt out of sale/sharing, and right to non-discrimination. Include the method for submitting requests (email, web form, postal address), expected response time (GDPR requires within one month, CCPA within 45 days), and verification procedures. Also state the right to lodge a complaint with a supervisory authority.
9. Children's Privacy
Address how your service handles data from children. COPPA (US) prohibits collecting data from children under 13 without verifiable parental consent. GDPR sets the age at 16 in most EU countries (some lower it to 13). If your service does not target children, state this explicitly: 'Our service is not directed to individuals under the age of 13. We do not knowingly collect personal data from children under 13.' If you do collect children's data, describe your parental consent mechanism, what data is collected, and how parents can review or delete their child's data.
10. International Data Transfers
If you transfer personal data outside the user's country (especially outside the EU/EEA), disclose this and explain the safeguards in place. Under GDPR, transfers to countries without an 'adequacy decision' from the European Commission require specific safeguards: Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or explicit consent. The EU-US Data Privacy Framework provides a mechanism for transfers to certified US organizations. Name the countries where data is transferred and the legal mechanism that authorizes each transfer.
11. Security Measures
Describe the technical and organizational measures you use to protect personal data. GDPR Article 32 requires 'appropriate technical and organisational measures' including: encryption of data in transit (TLS/SSL) and at rest, access controls and authentication, regular security assessments and penetration testing, employee training on data protection, incident response procedures, and data backup and recovery. You do not need to reveal specific technical details that could compromise security (such as exact encryption algorithms or firewall configurations), but you should provide enough information to assure users their data is protected.
12. Contact Information
Provide clear contact details for privacy-related inquiries. Under GDPR, you must disclose: the identity and contact details of the data controller (name, address, email), the contact details for your Data Protection Officer (DPO), if one is required, and the relevant supervisory authority where users can lodge complaints. Under CCPA, provide at least two methods for consumers to submit requests (e.g., toll-free phone number and email or web form). Include a physical mailing address. Make it easy for users to reach you about their data.
Did you know?
A 2024 study by the International Association of Privacy Professionals (IAPP) found that 67% of privacy policies reviewed were missing at least one section required by the laws applicable to them. The most commonly omitted sections were data retention periods (missing in 52% of policies), legal basis for processing (missing in 44%), and international data transfer disclosures (missing in 61%). An incomplete policy carries the same legal risk as having no policy at all.
Do I need to include all 12 sections if I only operate in the US?
You should include all 12 sections regardless of location. Even if GDPR does not apply (which is unlikely for any website indexed by search engines), CCPA, CalOPPA, and multiple state privacy laws require most of the same disclosures. Including all sections also protects you if your audience expands internationally. The cost of including extra sections is zero. The cost of missing required ones is significant.
Can I use plain language or do I need legal jargon?
Use plain language. GDPR Article 12 explicitly requires information to be provided in a 'concise, transparent, intelligible and easily accessible form, using clear and plain language.' Legal jargon makes your policy harder to understand and does not make it more enforceable. Write for your users, not for lawyers. A privacy policy that users cannot understand fails its primary purpose.
What Each Law Specifically Requires
A side-by-side comparison of disclosure requirements.
Different privacy laws require different disclosures. The table below shows which sections are mandatory under each major law. Including all 12 sections ensures compliance with every law simultaneously.
| Section | GDPR | CCPA | CalOPPA | COPPA |
|---|---|---|---|---|
| Types of data collected | Required | Required | Required | Required |
| How data is collected | Required | Recommended | Recommended | Required |
| Purpose of data use | Required | Required | Recommended | Required |
| Legal basis for processing | Required | N/A | N/A | N/A |
| Third-party sharing | Required | Required | Required | Required |
| Cookie disclosure | Required | Recommended | Required | Required |
| Data retention periods | Required | Recommended | N/A | Required |
| User rights | Required | Required | Required | Required |
| Children's privacy | Required | Recommended | N/A | Required |
| International transfers | Required | N/A | N/A | N/A |
| Security measures | Required | Recommended | N/A | Required |
| Contact information | Required | Required | Required | Required |
"Recommended" means the law does not explicitly mandate the section, but including it is considered best practice and may be required under certain enforcement interpretations. Including all sections regardless of legal mandate provides the strongest compliance position.
Did you know?
GDPR Article 13 lists 13 specific items that must be provided to data subjects when personal data is collected directly from them, and Article 14 adds additional requirements when data is obtained from third-party sources. Failure to include even one required item constitutes a transparency violation, which carries the same maximum penalty as any other GDPR infringement: up to 20 million euros or 4% of global annual turnover.
Industry-Specific Additions
Extra sections your industry may require beyond the 12 essentials.
The 12 sections above cover the universal requirements. Depending on your industry, additional disclosures may be required by sector-specific regulations or platform policies.
E-commerce and Online Stores
If you sell products online, your privacy policy should additionally cover: payment data handling and PCI-DSS compliance, order and shipping information processing, return and refund data retention, loyalty program data practices, and how you handle customer reviews. Payment processors like Stripe and PayPal have their own privacy requirements that your policy should reference. If you use Shopify, WooCommerce, or another e-commerce platform, their specific data practices should be disclosed as well.
Healthcare and HIPAA
If you handle protected health information (PHI), HIPAA requires a Notice of Privacy Practices that is separate from (or in addition to) a standard privacy policy. This must cover: uses and disclosures of PHI, patient rights (access, amendment, accounting of disclosures, restriction requests), your duties regarding PHI, and how to file complaints. Telehealth services, health apps, and wellness platforms may fall under HIPAA or FTC Health Breach Notification rules depending on the data they handle.
Mobile Apps
Mobile apps collect data that websites typically do not: device identifiers (IDFA, GAID), precise geolocation, camera and microphone access, contact lists, photo library access, push notification tokens, and app usage patterns. Apple App Store requires privacy nutrition labels and an App Tracking Transparency prompt. Google Play Store requires a data safety section. Your privacy policy must disclose all device permissions requested and how the resulting data is used.
SaaS and B2B Applications
SaaS privacy policies often need additional sections for: sub-processor lists (GDPR requirement), data processing agreements (DPA) availability, data residency and hosting location, uptime SLA data handling, API data practices, multi-tenant architecture disclosures, and customer data ownership and portability. Enterprise customers frequently audit SaaS privacy policies as part of vendor assessment, so completeness is particularly important.
Financial Services and Fintech
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide customers with a privacy notice explaining data sharing practices, the right to opt out of certain sharing, and safeguards for sensitive financial data. State money transmitter regulations add further requirements. If you handle financial data, credit information, or facilitate transactions, additional disclosures beyond the 12 standard sections are necessary.
Need a privacy policy tailored to your industry? Learn how to write a privacy policy or create one for free.
Did you know?
Apple's App Tracking Transparency framework, introduced in iOS 14.5, requires apps to request permission before tracking users across other apps and websites. This single change reduced mobile ad tracking revenue by an estimated $10 billion in its first year. If your mobile app requests any tracking permissions, your privacy policy must explain exactly what data is tracked, how it is used, and how users can opt out. The privacy policy must match what your App Store privacy nutrition labels declare.
Common Mistakes That Make Your Policy Non-Compliant
These errors are found in the majority of privacy policies online.
Being vague about data collection
Statements like 'we may collect personal information' or 'we collect data to improve our services' fail to meet the specificity requirements of GDPR, CCPA, and CalOPPA. You must list exact data categories, exact purposes, and exact recipients. 'May collect' is not a disclosure. Either you collect it or you do not. Regulators interpret vague language as an attempt to obscure data practices, which increases enforcement risk rather than reducing it.
Copying another website's privacy policy
A privacy policy must accurately describe your specific data practices. Copying another site's policy means it describes their data practices, not yours. If you use Stripe but the copied policy mentions PayPal, your policy is inaccurate. If you use Google Analytics but the copied policy does not mention it, you have an undisclosed data practice. Inaccurate privacy policies have been the basis for FTC enforcement actions and GDPR fines. See why this approach fails in detail.
Omitting third-party services
Every third-party service that processes user data must be disclosed. This includes analytics (Google Analytics, Mixpanel), advertising (Google Ads, Meta Pixel), payments (Stripe, PayPal), email (Mailchimp), hosting (AWS, Vercel), CDN (Cloudflare), and customer support tools (Intercom, Zendesk). Many website owners forget to include their hosting provider, CDN, or embedded services like YouTube and Google Maps. Each of these transmits user data to a third party.
Forgetting to update after adding new tools
Your privacy policy must reflect your current data practices. When you add Google Analytics, switch payment processors, install a new WordPress plugin, or start using a new email marketing service, your privacy policy must be updated to disclose the new data processing. Set a quarterly review schedule. Every time you add or change a tool that touches user data, update your policy before deployment.
Not including an effective date or update history
CalOPPA explicitly requires an effective date on your privacy policy. GDPR requires that users be notified of material changes to data processing. Without a visible date, users and regulators cannot determine whether your policy reflects current practices. Best practice is to include both the original publication date and the most recent update date. Some organizations maintain a changelog of material updates.
An incomplete policy is as risky as no policy
GDPR regulators have fined organizations specifically for inadequate privacy disclosures, not just for missing policies. In 2023, the Italian DPA fined a company €20,000 for having a privacy policy that failed to mention its use of Google Analytics and third-party advertising cookies. The policy existed but was incomplete. Missing sections carry the same enforcement risk as a missing policy. See the full consequences breakdown.
Generate a Policy With All 12 Sections
Answer a few questions about your website or app and get a complete privacy policy covering every required section for GDPR, CCPA, COPPA, and CalOPPA compliance in under 60 seconds.
Structured around widely accepted GDPR and CCPA requirements. Not legal advice.
Frequently Asked Questions
What should a privacy policy include?
A privacy policy should include 12 essential sections: types of personal data collected, how data is collected, purposes of data use, legal basis for processing, third-party data sharing, cookie and tracking disclosure, data retention periods, user rights, children's privacy, international data transfers, security measures, and contact information. The exact requirements depend on which laws apply. See our what is a privacy policy guide for fundamentals.
What are the legal requirements for a privacy policy?
GDPR requires disclosure of data controller identity, processing purposes, legal basis, data recipients, retention periods, user rights, and international transfers. CCPA requires disclosure of data categories, purposes, third-party sharing, and consumer rights. CalOPPA requires conspicuous posting and PII category disclosure. COPPA requires parental consent mechanisms for children's data. See our GDPR template for a complete compliance structure.
Does a privacy policy need to mention cookies?
Yes. If your website uses any cookies, you must disclose this in your privacy policy. Under GDPR and the ePrivacy Directive, you also need to obtain consent before setting non-essential cookies. Your disclosure should list each cookie by name, its purpose, duration, and whether it is first-party or third-party. Many websites maintain a separate cookie policy for detailed disclosure while summarizing cookie practices in the main privacy policy.
How long should a privacy policy be?
A privacy policy should be as long as necessary to cover all required disclosures. A simple blog may need 800 to 1,200 words. An e-commerce site typically needs 1,500 to 3,000 words. A SaaS application with complex data practices may need 3,000 to 5,000 words. GDPR Article 12 requires information to be concise, transparent, and easily accessible. Prioritize completeness and clarity over brevity.
Do I need a separate cookie policy?
Not necessarily. You can include cookie disclosures within your privacy policy. However, many websites create a separate cookie policy for clarity, especially with numerous cookies or granular consent management. What matters under the law is that cookie information is easily accessible, not whether it lives in a separate document.
What happens if my privacy policy is incomplete?
An incomplete privacy policy carries the same legal risk as having no privacy policy at all. GDPR regulators have fined organizations for inadequate disclosures. If your policy fails to mention data sharing with third parties, does not list user rights, or omits your legal basis for processing, it does not meet compliance requirements. See our consequences guide for the full enforcement landscape.
Should a privacy policy include information about third-party services?
Yes. You must disclose which third parties receive user data and for what purpose. This includes analytics providers, payment processors, advertising networks, email services, hosting providers, CDN services, and any service that processes user data on your behalf. GDPR requires naming categories of recipients, and best practice is to name specific services. You can generate a policy that automatically includes your specific third-party services.
Related Resources
How to Write a Privacy Policy
Step-by-step writing guide
Create a Privacy Policy for Free
5 free methods compared
What Is a Privacy Policy?
Fundamentals explained
GDPR Privacy Policy Template
EU and UK compliance template
CCPA Privacy Policy Example
California compliance example
Privacy Policy for Websites
Complete website compliance guide
What Happens Without One
Fines, platform bans, and legal risks
Can I Copy a Privacy Policy?
Why copying policies creates liability