DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

Website Privacy Policy: What It Must Contain in 2026

#gdpr #privacy #compliance #ccpa

Website Privacy Policy: What It Must Contain in 2026

Your website privacy policy is a legal document. Regulators, courts, and data protection authorities treat it as one. And yet, the majority of privacy policies on the web today are copy-pasted templates that were last updated in 2019 and describe tools the site doesn't use — while missing the ones it does.

This guide covers exactly what a compliant website privacy policy must contain in 2026: the legal requirements under GDPR, CCPA, and CalOPPA, the 10 sections every policy needs, why templates fail, and how to generate a policy that actually reflects your site's real data practices.

Who Needs a Website Privacy Policy?

The short answer: almost every website.

If your site does any of the following, you need a website privacy policy:

  • Uses analytics tools (Google Analytics, Plausible, Fathom, Mixpanel)
  • Has a contact form that collects names or email addresses
  • Uses cookies beyond strictly necessary session cookies
  • Has a newsletter signup or email list
  • Runs advertising pixels (Meta Pixel, LinkedIn Insight Tag, Google Ads)
  • Uses live chat software (Intercom, Drift, Crisp)
  • Sells products or services online
  • Has registered users or accounts

In practice, almost every website collects some personal data — even if it's just IP addresses logged by your web server, or analytics data about page views. Once you collect any personal data, privacy laws apply and a policy is required.

The legal triggers vary by jurisdiction: GDPR applies if you have visitors from the EU, CCPA applies if you have California users and meet certain thresholds, CalOPPA applies to any commercial website accessible to California residents. Combined, these regulations cover the vast majority of websites.

GDPR Requirements for Privacy Policies

The General Data Protection Regulation (GDPR) sets the most detailed requirements for privacy notices. Articles 13 and 14 specify exactly what information must be provided — Article 13 when data is collected directly from the individual, Article 14 when data is obtained indirectly.

Under GDPR, your website privacy policy must include:

  • Identity and contact details of the data controller — your business name, address, and how to reach you
  • Contact details of your Data Protection Officer — if you're required to have one
  • Purposes and legal basis for processingwhy you collect data and which of the six legal bases applies to each purpose
  • Legitimate interests — if you rely on legitimate interest as your legal basis, you must state what those interests are
  • Recipients or categories of recipients — who you share data with (third-party tools count)
  • International transfers — if data leaves the EEA, the safeguards in place (Standard Contractual Clauses, adequacy decisions)
  • Retention periods — or the criteria used to determine how long you keep data
  • User rights — access, rectification, erasure, restriction, portability, objection
  • Right to withdraw consent — if consent is your legal basis, users must be told they can withdraw it at any time
  • Right to lodge a complaint — with a supervisory authority
  • Whether provision of data is statutory or contractual — and the consequences of not providing it
  • Existence of automated decision-making — including profiling, where relevant

This is not a suggestion list. These are mandatory disclosure requirements. A privacy policy that omits the legal basis for processing, for example, fails GDPR Article 13 and exposes you to enforcement action.

CCPA Requirements for Privacy Notices

The California Consumer Privacy Act (CCPA), as amended by the CPRA, requires businesses meeting certain thresholds to provide a privacy notice that covers:

  • Categories of personal information collected — using the specific CCPA categories (identifiers, commercial information, internet activity, etc.)
  • Purposes for collecting each category — what you use each type of data for
  • Categories of third parties with whom data is shared — broken down by category of data
  • Whether personal information is sold or shared — and if so, users' right to opt out
  • Retention periods — per category of personal information
  • User rights — the right to know, delete, correct, and opt-out
  • How to submit requests — the mechanisms users can use to exercise their rights
  • Non-discrimination notice — users can't be penalised for exercising their rights

CCPA applies to for-profit businesses that collect California consumers' personal information and meet one of three thresholds: annual gross revenues over $25 million, buying/selling/receiving/sharing personal information of 100,000+ consumers annually, or deriving 50%+ of annual revenue from selling personal information.

CalOPPA Requirements

The California Online Privacy Protection Act requires any commercial website or online service that collects personally identifiable information from California residents to conspicuously post a website privacy policy that identifies:

  • The categories of personally identifiable information collected
  • Categories of third parties with whom information is shared
  • How users can review and request changes to their information
  • How the policy will be communicated to users when material changes are made
  • The effective date of the policy

CalOPPA applies to virtually any commercial website accessible to California residents — which means it covers the overwhelming majority of English-language websites, regardless of where the business is based.

The 10 Sections Every Compliant Website Privacy Policy Needs

1. Who You Are and How to Contact You

Your website privacy policy must clearly identify the data controller — the entity legally responsible for how personal data is handled. This means your full legal business name, registered address, and at minimum an email address for privacy inquiries.

Under GDPR, if your organisation is required to appoint a Data Protection Officer, their contact details must also be included separately. Even if a DPO isn't legally required, naming a privacy contact builds trust and gives users a real person to reach.

2. What Personal Data You Collect — Be Specific

Generic language like "we may collect personal information" fails the legal transparency requirement and is useless to readers. Your website privacy policy must specify the actual categories of data collected — and ideally the specific data points.

Examples of what to cover:

  • Name, email address, phone number (from contact forms)
  • IP address, browser type, device type, pages visited (from analytics)
  • Purchase history, payment method type (from ecommerce)
  • Cookie identifiers, advertising IDs (from tracking pixels)
  • Chat transcripts (from live chat tools)

The key is to describe what your site actually collects — not what a template assumes you might collect.

3. Why You Collect It — The Purpose

For each category of data, your policy must explain the purpose of collection. Regulators consider vague purposes like "to improve our services" insufficient. Be specific: "to send you the weekly newsletter you subscribed to," "to analyse traffic patterns and improve page performance," "to retarget visitors with advertising on Meta platforms."

4. Legal Basis for Processing — GDPR Specific

This is the section most templates get wrong or omit entirely. Under GDPR, you must have a legal basis for every processing activity, and you must disclose it. The six legal bases are:

  1. Consent — the user actively agreed to this specific processing
  2. Contract — processing is necessary to fulfil a contract with the user
  3. Legal obligation — processing is required by law
  4. Vital interests — processing is necessary to protect someone's life
  5. Public task — processing is necessary for a public interest task
  6. Legitimate interests — your interests or a third party's interests outweigh the user's privacy interests

For most small business websites: consent covers analytics and advertising cookies, contract covers order processing, legitimate interests may cover fraud prevention and basic security logging. Each processing purpose needs its own legal basis identified.

5. Who You Share Data With — Name Them

"We may share your data with third parties" is not enough. Your website privacy policy must identify the categories of recipients — and ideally name the specific services where possible. If you use Google Analytics, say so. If you use Mailchimp for email, HubSpot for CRM, Stripe for payments, and Intercom for chat — each one should be named.

For each third party, consider disclosing: what data is shared, why, and whether they act as a data processor (following your instructions) or an independent data controller.

6. International Data Transfers and Safeguards

If you use US-based tools — Google, Meta, Stripe, HubSpot, Mailchimp, Intercom — you are transferring personal data from the EU to the US. GDPR requires you to disclose this and explain the legal mechanism that makes the transfer lawful.

The most common mechanism is Standard Contractual Clauses (SCCs), which most major US providers include in their Data Processing Agreements. For adequacy decisions (like the EU-US Data Privacy Framework), reference the framework. Don't just say "we take appropriate safeguards" — name the mechanism.

7. How Long You Keep Data — Retention Periods

The storage limitation principle under GDPR requires you to keep data "no longer than necessary." Your website privacy policy must either state specific retention periods (e.g., "email marketing data is retained for 3 years from last interaction") or describe the criteria used to determine retention (e.g., "we retain order data for 7 years to comply with tax obligations").

Different data categories typically have different retention periods — be specific.

8. User Rights — Access, Deletion, Portability, Objection

This section must cover every right your users have under applicable law. Under GDPR, this includes:

  • Right to access — receive a copy of their personal data
  • Right to rectification — correct inaccurate data
  • Right to erasure ("right to be forgotten") — request deletion of their data
  • Right to restriction — limit processing while a dispute is resolved
  • Right to data portability — receive their data in a machine-readable format
  • Right to object — object to processing based on legitimate interests or for direct marketing
  • Rights related to automated decision-making — where applicable

Under CCPA, rights include: right to know, right to delete, right to correct, right to opt out of sale/sharing, right to non-discrimination.

Critically: your policy must tell users how to exercise these rights — an email address, a web form, or both.

9. How to Make a Complaint

Under GDPR, users have the right to lodge a complaint with their national data protection authority (DPA) if they believe their data is being processed unlawfully. Your website privacy policy must tell users this right exists and how to exercise it.

For CCPA, users can contact the California Privacy Protection Agency (CPPA). Under CalOPPA, users can report violations to the California Attorney General.

Including this information isn't optional — it's a mandatory GDPR requirement under Article 13(2)(d).

10. How the Policy Will Be Updated

Regulators and courts pay attention to whether your policy has a "last updated" date and whether you communicate material changes to users. Your website privacy policy should state:

  • When the policy was last updated (with the actual date)
  • How users will be notified of future material changes (email notification, banner on the site, etc.)
  • Where the current version can always be found

The Template Problem: Why Generic Policies Fail

Here's what happens when someone uses a generic privacy policy template: the template lists every tool the generator has ever seen — Google Analytics, Stripe, Mailchimp, Intercom, HotJar, Facebook Pixel, Twitter Pixel, LinkedIn Insight Tag — whether or not the site uses them. Meanwhile, it misses the tools the site actually uses that weren't in the template database.

The result is a website privacy policy that:

  1. Discloses tools you don't use — which creates confusion and technical inaccuracy
  2. Misses tools you do use — which is a GDPR violation (Article 13 requires disclosure of actual recipients)
  3. Applies wrong legal bases — templates often default to "legitimate interests" for everything, which doesn't hold up for advertising and analytics under GDPR
  4. Uses wrong retention periods — templates use generic timeframes that may not match your actual data practices
  5. Fails the specificity requirement — GDPR requires transparency, not plausible-sounding boilerplate

In enforcement cases, data protection authorities look closely at whether privacy policies accurately reflect actual data practices. A policy that lists Stripe but not the advertising pixel actually firing on every page is evidence of poor privacy governance — and a potential violation.

How to Make Your Policy Accurate: Audit First, Then Write

The only way to write an accurate website privacy policy is to know what your website actually does. This means:

  1. Scan your site — identify every third-party script, cookie, and tracker running on your pages. Tools like Custodia can do this automatically.
  2. Audit your forms — what data does each form collect? Where does it go?
  3. Review your tools — for each tool in your tech stack (analytics, CRM, email, chat, payments), understand what data it collects and processes.
  4. Check your server logs — understand what your web server records by default.
  5. Review third-party DPAs — for each vendor, sign their Data Processing Agreement and understand their data practices.

Only once you know what you're actually collecting can you write a policy that accurately describes it. This is why generated-from-scan policies are legally stronger than template policies — they're based on what's actually running on your site.

Plain Language Requirement

GDPR's transparency principle requires that privacy information be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."

"Using clear and plain language" is a legal requirement — not a style preference. A policy written in dense legal jargon that a non-lawyer can't understand fails the transparency test.

Practical guidance:

  • Use short sentences and common words
  • Avoid undefined legal terms
  • Use headers and bullet points to organise information
  • Explain acronyms (DSAR, SCC, DPA) on first use
  • Aim for a reading age accessible to the average adult

Placement Requirements: Where Your Policy Must Be Linked

A compliant website privacy policy is only effective if users can find it. Requirements include:

  • Footer link — on every page of your website
  • At point of data collection — linked in any form that collects personal data (contact forms, newsletter signups, checkout)
  • In cookie banners — your consent banner must link to your privacy policy
  • In marketing emails — included or linked in every marketing communication
  • In apps — accessible within the app itself, not just on the website

CalOPPA requires "conspicuous posting" — which regulators interpret as a clearly visible link, typically in the footer, with wording that reasonably indicates it's a privacy policy (not buried under "Legal" with four other links).

Keeping Your Policy Current: When to Update

Your website privacy policy must stay accurate. Trigger a review and update when:

  • You add a new tool that collects or processes personal data (new analytics, new CRM, new payment processor)
  • You change a purpose for which you collect data
  • You change your data retention periods
  • You change how users can exercise their rights
  • New laws apply to your business (a new US state privacy law, for example)
  • Regulatory guidance changes your understanding of requirements
  • You change your business structure (merger, acquisition, change in legal entity)

Best practice: review your website privacy policy at least annually, and check it against your actual tool stack each time. A policy with a 2022 update date that references "our proprietary CRM tool" when you've since migrated to Salesforce is a compliance gap.

Why a Scanned-and-Generated Policy Is Legally Stronger Than a Template

A website privacy policy generated from an actual site scan is more legally defensible than a template for one simple reason: it describes what your website actually does.

When a regulator investigates, they will compare your policy against your actual data practices. A policy that accurately lists Google Analytics and your Mailchimp integration — because those are actually running on your site — stands up to scrutiny. A template that lists 40 possible tools, none of which you use, while missing the Intercom script that's actually firing on every page, does not.

Scan-generated policies also stay current. As you add or remove tools, a re-scan updates the policy accordingly — rather than relying on you to manually update a document most people only look at once.

Get an Accurate Website Privacy Policy for Your Site

The first step is knowing what your site is actually collecting. Custodia scans your website in 60 seconds — no signup required — and identifies every third-party tracker, cookie, and data collection mechanism running on your pages.

From there, you can generate a website privacy policy that accurately reflects your real data practices, with the correct legal bases, retention periods, and third-party disclosures pre-populated based on what we actually found.

Scan your website free →

Last updated: March 27, 2026. This guide provides general information about privacy policy requirements and does not constitute legal advice. Privacy law is complex and jurisdiction-specific — consult a qualified privacy professional for advice tailored to your situation.

Top comments (0)