If your website collects any personal data, including analytics cookies, email addresses, or IP addresses in server logs, you need a privacy policy. This isn’t optional advice. It’s a legal requirement in the EU (GDPR), California (CCPA/CPRA), Brazil (LGPD), and an increasing number of other jurisdictions.
The penalties are not theoretical. GDPR fines can reach 4% of annual global revenue or 20 million euros, whichever is higher. In 2023, Meta was fined 1.2 billion euros. In 2022, Amazon was fined 746 million euros. Smaller companies receive smaller fines, but the enforcement actions are real and accelerating.
What a privacy policy must contain
The specific requirements vary by jurisdiction, but every comprehensive privacy policy should address:
What data you collect. Be specific. “Personal information” is too vague. List the categories: names, email addresses, IP addresses, browser information, location data, purchase history, cookies.
How you collect it. Directly from the user (forms, account creation) or automatically (cookies, analytics, server logs). Third-party sources if applicable.
Why you collect it. GDPR requires a legal basis for each type of processing. The main bases are consent, contract performance, legitimate interest, and legal obligation. “We might use it someday” is not a valid basis.
Who you share it with. Third-party analytics (Google Analytics), payment processors (Stripe), email services (SendGrid), advertising networks. Users have a right to know which companies receive their data.
How long you keep it. Data retention periods must be specified. “Indefinitely” is not compliant. If you keep email addresses for marketing, state the retention period. If you keep server logs, state how long.
User rights. Under GDPR: access, rectification, erasure, portability, restriction, and objection. Under CCPA: know, delete, opt-out of sale, and non-discrimination. Your policy must explain how users exercise these rights.
Contact information. A way for users to reach you with privacy concerns. GDPR may require a Data Protection Officer if you process data at scale.
The Google Analytics problem
If you use Google Analytics, you’re sending user data (IP addresses, browsing behavior, device information) to Google’s servers. Under GDPR, this requires explicit consent before the tracking script loads. Several EU data protection authorities have ruled that Google Analytics transfers to US servers are not GDPR-compliant, even with consent.
Your privacy policy needs to disclose this. Many site owners add Google Analytics without realizing they’ve just created a significant privacy compliance obligation.
Cookie consent is separate from your privacy policy
A privacy policy tells users what you do. Cookie consent asks permission before you do it. They’re related but distinct. Your cookie banner should link to the privacy policy, and the privacy policy should explain your cookie practices in detail.
The ePrivacy Directive (sometimes called the “cookie law”) requires consent before setting non-essential cookies. This means analytics and advertising cookies cannot be set until the user clicks “accept.” Your site must function without those cookies for users who decline.
Template generators help but don’t replace legal review
A privacy policy generator creates a solid starting point based on your answers to standard questions. It covers the common scenarios and uses legally appropriate language. But every business has unique circumstances that a template can’t fully address.
I built a privacy policy generator at zovo.one/free-tools/privacy-policy-generator that creates comprehensive policies based on your specific data practices. Answer the questions about what you collect, why, and how, and it generates a policy covering GDPR, CCPA, and general best practices. Use it as a starting point, and consider legal review for complex situations.
I’m Michael Lip. I build free developer tools at zovo.one. 500+ tools, all private, all free.