Your privacy policy should be linked from at least 7 locations to meet GDPR and CCPA placement requirements:
- Website footer (every page)
- Signup and registration forms
- Checkout and payment pages
- Cookie consent banners
- Contact forms
- App store listings (if applicable)
- Email newsletter footers
Having a privacy policy is only half the battle. If users cannot find it, or if it is buried on a page nobody visits, you are still failing the transparency requirements of GDPR, CCPA, and CalOPPA. These laws do not just require you to have a policy. They require that policy to be conspicuously displayed and easy to access.
CalOPPA is explicit about this: your privacy policy must be "conspicuously posted" on your website. That means a link that a reasonable person can find without difficulty. GDPR goes further by requiring the policy to be provided at the specific point where personal data is collected, not just somewhere on your site.
This guide covers every location where your privacy policy link should appear, with platform-specific instructions for Shopify, WordPress, Wix, and mobile apps.
Why Privacy Policy Placement Matters
Privacy policy placement is not just a design choice. It is a legal requirement with specific standards. The way you display your policy directly affects whether user consent is valid, whether app stores approve your listing, and whether regulators consider you compliant.
Under GDPR, consent must be "informed." That means the user must have had a reasonable opportunity to read your privacy policy before agreeing to data collection. If your policy is hidden behind three clicks or buried in a submenu, regulators can argue that consent was not truly informed.
CalOPPA requires your policy to be "conspicuously posted," which the law defines as either being the first text on your homepage or accessible via a link that uses the word "privacy" and appears on your homepage. Most sites satisfy this with a footer link visible on every page.
Footer
Minimum required location
7 spots
Recommended total locations
Required
For app store listings
7 Essential Locations for Your Privacy Policy
Each of these locations serves a specific compliance purpose. Missing even one can create a gap that regulators, app stores, or advertising partners may flag.
Website footer (every page)
This is the universal standard. A clearly labeled "Privacy Policy" link in your footer ensures the policy is accessible from every page on your site. CalOPPA requires the link to use the word "privacy" and be visible on the homepage. Most website builders and CMS platforms include footer navigation by default.
Signup and registration forms
GDPR Article 13 requires you to provide privacy information at the time data is collected. Every signup form, registration page, and newsletter opt-in must include a visible link to your privacy policy. Place it near the submit button with text like "By signing up, you agree to our Privacy Policy."
Checkout and payment pages
Checkout pages collect names, addresses, phone numbers, and payment details. This is the most sensitive data collection point on your site. Link your privacy policy near the payment form, before the user submits their order. Shopify, WooCommerce, and most e-commerce platforms support adding policy links to checkout.
Cookie consent banners
Your cookie banner is often the first thing users interact with on your site. It should include a link to your full privacy policy or cookie policy. Users need to access the full details before deciding whether to accept or reject cookies.
Contact forms
Contact forms collect names, email addresses, and free-text message content. Users should know how their inquiry data will be processed before submitting. Add a brief statement and link below the form, such as "We handle your data as described in our Privacy Policy."
App store listings
Both Apple App Store and Google Play require a working privacy policy URL in your app listing. Apps submitted without one will be rejected. The URL must lead directly to your privacy policy page, not your homepage. See our guide on privacy policies for apps for details.
Email newsletter footers
Every marketing and transactional email should include a privacy policy link in its footer. CAN-SPAM requires this for commercial emails. GDPR recommends it as part of ongoing transparency. Most email platforms like Mailchimp, ConvertKit, and Sendinblue include footer link placeholders by default.
Did you know?
CalOPPA defines "conspicuously posted" with specific criteria: the link must contain the word "privacy," use a font size or color that makes it stand out from surrounding text, and be located on the homepage or the first significant page after the homepage. A footer link on every page satisfies this, but a link hidden in a submenu does not.
Platform-Specific Placement Guides
Where to add your privacy policy link depends on your website platform. Here is how to do it on the most popular platforms.
| Platform | Where to Add | Notes |
|---|---|---|
| Shopify | Settings > Policies > Privacy Policy, then Footer menu under Navigation | Checkout page link is automatic when policy is set in Settings |
| WordPress | Settings > Privacy, then add to footer menu via Appearance > Menus | WordPress has a built-in privacy policy page generator since version 4.9.6 |
| Wix | Add a page, then link it in your footer section via the Editor | Wix does not auto-link on forms; add manually to each form page |
| Squarespace | Add a page, then link in footer via Navigation settings | Use the "Not Linked" section to keep it out of main nav |
| Webflow | Create a static page and add the link to your footer symbol | Footer symbols update site-wide automatically |
| WooCommerce | WordPress privacy page plus WooCommerce > Settings > Accounts & Privacy | Adds privacy policy link to checkout and account registration |
Did you know?
Google requires a privacy policy link for any app or website that uses Google Analytics, Google AdSense, or Google Sign-In. If you use any Google service that collects user data, your privacy policy must be linked from your website. This is separate from any legal requirement and is a condition of your Google service agreement.
Q: Can I use a pop-up instead of a dedicated page?
No. A pop-up or modal is not a reliable substitute for a dedicated privacy policy page. Pop-ups can be blocked by browsers, may not be indexable by search engines, and do not provide a stable URL for app store submissions. Always use a dedicated page with a permanent URL.
Q: Does the link text matter?
Yes. CalOPPA requires the link to include the word "privacy." Use "Privacy Policy" as your link text. Avoid vague labels like "Legal," "Terms," or "Policies" that do not clearly identify the link as leading to your privacy policy. Users and regulators should be able to identify the link at a glance.
Mobile App Privacy Policy Placement
Mobile apps have stricter placement requirements than websites because both Apple and Google enforce their own policies on top of legal requirements.
Required Locations for Mobile Apps
- App store listing page (Apple App Store and Google Play both require this)
- Within the app itself, typically in Settings or About section
- Before or during account registration within the app
- On any in-app screen that collects personal data (payment, profile editing)
- On your app's marketing website or landing page
Apple will reject your app during review if the privacy policy link is missing or broken. Google Play will flag your app and may remove it from the store. For detailed requirements, see our guide on privacy policies for apps.
Email Marketing Privacy Policy Placement
Email marketing involves two separate placement requirements: the signup form where users subscribe and the emails themselves.
Email Signup Forms
Every email signup form must include a link to your privacy policy. This is where consent is captured, so GDPR requires users to be informed at this exact point. Place the link near the subscribe button. Many businesses add a line like "We respect your privacy. Read our Privacy Policy."
Within Emails
CAN-SPAM requires commercial emails to include your physical address and an unsubscribe link. While it does not explicitly mandate a privacy policy link, GDPR recommends it and most email service providers include it by default. Adding the link to your email footer template ensures it appears in every message automatically.
Did you know?
Mailchimp, ConvertKit, and most major email platforms automatically add an unsubscribe link to your emails, but they do not always add a privacy policy link. You need to add this yourself by editing your default email footer template. It takes about two minutes and covers every email you send going forward.
Common Placement Mistakes
Even when businesses have a privacy policy, these placement mistakes leave them exposed to compliance issues.
Mistake: Only linking in the footer
A footer link is the minimum, not the complete solution. GDPR requires the policy to be presented at the point of data collection. If your signup form, checkout page, or contact form does not include a link, you are missing the legal requirement for informed consent at those touchpoints.
Mistake: Using a broken or outdated URL
If you have redesigned your website, changed CMS platforms, or restructured your pages, your old privacy policy URL may return a 404 error. App stores, email footers, and social media profiles may still point to the old URL. Audit all locations where your policy is linked after any site migration.
Mistake: Hiding the link in a crowded footer
Some websites bury the privacy policy link among dozens of other footer links in a small font. CalOPPA requires the link to be "conspicuous." If a reasonable person cannot find it within a few seconds of looking, you may not meet the conspicuousness standard.
Mistake: Linking to a PDF instead of a web page
PDFs are harder to read on mobile devices, cannot be easily indexed by search engines, and create a poor user experience. Use a dedicated HTML page on your website. If you need a PDF version for legal records, offer it as a download option alongside the web page.
Mistake: Not linking on the cookie consent banner
Many cookie banners only say "We use cookies" with Accept and Reject buttons but do not link to the full policy. GDPR requires informed consent, which means users must be able to read the details before making a choice. Always include a link to your cookie policy or privacy policy in the banner.
How to Place Your Privacy Policy (7 Steps)
Follow this checklist to make sure your privacy policy is properly linked across all required locations.
Add a privacy policy link to your website footer
Place a clearly labeled "Privacy Policy" link in your site-wide footer. This ensures the policy is accessible from every page. Use plain text, not icons or abbreviations. The link should be visible without scrolling through dense footer content.
Link the policy on all signup and registration forms
Add a visible privacy policy link on every form that collects personal data: signup forms, registration pages, newsletter opt-ins, and account creation flows. Place it near the submit button with text such as "By signing up, you agree to our Privacy Policy."
Include the link on checkout and payment pages
Your checkout page collects sensitive personal and financial data. Link your privacy policy prominently on this page, ideally near the payment form. This is required for GDPR compliance and recommended for PCI DSS best practices.
Add the link to your cookie consent banner
Your cookie consent banner should include a direct link to your privacy policy or cookie policy. Users must be able to read the full details of your cookie usage before giving or withholding consent.
Place the link on contact forms
Contact forms collect names, email addresses, and message content. Add a privacy policy link on or near the form so users know how their inquiry data will be handled before they submit it.
Add the link to your app store listing
If you have a mobile app, submit your privacy policy URL when publishing or updating your app on Apple App Store or Google Play. The URL must lead directly to your privacy policy page, not your homepage or a general legal page.
Include the link in email footers
Add a privacy policy link to the footer of all marketing and transactional emails. This is required by CAN-SPAM and recommended under GDPR. Most email platforms include a merge tag or placeholder for this purpose.
Frequently Asked Questions
Where should I put my privacy policy on my website?
At minimum, in your website footer so it is accessible from every page. Beyond that, link it on signup forms, checkout pages, cookie consent banners, contact forms, app store listings, and email footers. GDPR requires the policy to be presented at the point of data collection.
Is a footer link enough for compliance?
A footer link satisfies the CalOPPA "conspicuously posted" requirement, but GDPR requires additional placement at each point of data collection. If you have signup forms, checkout pages, or contact forms, those need separate links to the policy.
Do I need to link my privacy policy on signup forms?
Yes. GDPR Article 13 requires you to provide privacy information at the time personal data is collected. A signup form collects personal data, so it must include a visible link to your privacy policy near the submit button.
Where do I put the privacy policy link in a mobile app?
In the app store listing (required by Apple and Google), within the app's settings or about section, and at any in-app data collection point like registration or payment screens. Missing the app store link will result in rejection during app review.
Should my cookie banner link to my privacy policy?
Yes. The cookie banner provides a summary, but users must be able to access the full details before deciding on consent. Include a link to your privacy policy or a dedicated cookie policy within the banner itself.
Do emails need a privacy policy link?
Yes, for both the signup form and the emails themselves. CAN-SPAM requires certain disclosures in commercial emails, and GDPR recommends a privacy policy link. Add it to your email footer template so it appears in every message automatically.
Can I use a PDF instead of a web page for my privacy policy?
A web page is strongly recommended over a PDF. PDFs are harder to read on mobile, cannot be easily updated, and create a poor user experience. Use a dedicated HTML page with a permanent URL. You can offer a PDF download as a secondary option if needed.
Related Resources
Privacy Policy for Websites
Complete guide to creating a website privacy policy
Privacy Policy for Shopify
How to add and customize your Shopify privacy policy
Privacy Policy for WordPress
WordPress-specific privacy policy setup guide
Privacy Policy for Wix
Adding a privacy policy to your Wix website
Privacy Policy for Apps
App store requirements and mobile app compliance
Cookie Policy for Websites
GDPR cookie requirements and consent rules
What Happens Without a Privacy Policy
The real consequences of operating without one
Generate a Privacy Policy
Create a customized policy in under 60 seconds
Social Media Privacy Policy Placement
If you run business profiles on social media platforms, your privacy policy should be linked there too. This is especially important if you collect data through social media (running ads, using lead forms, or collecting messages through your business page).
Q: Do I need a separate privacy policy for social media?
No. Your main website privacy policy covers your social media data collection as long as it describes the data you collect through those channels. Simply link to your existing policy. If your social media activities involve unique data collection (like running contests or using platform-specific lead forms), make sure those activities are described in your policy.
Q: What about social media ads with lead forms?
Facebook and LinkedIn lead form ads require you to include a privacy policy link directly in the ad. This is enforced at the platform level. You cannot publish a lead form ad without providing a privacy policy URL. The same policy you use on your website works here.