Privacy Policy Requirements Checklist for Websites & Apps

James Ó Nuanáin, CIPP/E, CIPM, CIPT

written by James Ó Nuanáin, CIPP/E, CIPM, CIPT September 8, 2023

Generate a Free Privacy Policy
Ultimate-Privacy-Policy-Checklist-for-Businesses-01

I’ll start with a bold statement: All businesses of any size operating online that collect customer data need a privacy policy, including website owners, app owners, and anyone in between.

A privacy policy is required by law for many businesses, but it also shows consumers that you’re honest about your data processing activities.

So, let me proudly present you with the ultimate privacy policy requirements checklist — I’ll walk you through what goes into a privacy policy to what laws require them to where you need to post them on your site, and so much more.

Table of Contents
  1. Privacy Policy Checklist
  2. Legal Requirements for Privacy Policies
  3. Privacy Policy Requirements Explained
  4. Tips for Complying With Privacy Policy Requirements
  5. Penalties for Not Complying With Privacy Policy Laws
  6. How Termly Helps Your Business Create a Privacy Policy
  7. Summary

Privacy Policy Checklist

My checklist includes a breakdown of the legally necessary clauses for your privacy policy, the details you must have within those clauses, and a list of the regulations that require it.

Privacy Policy Clause To-do Required By The…
  • Introductory Clause
  • State your company name
  • Explain who the policy applies to
  • Define relevant terms to be used throughout the policy
  • Link to other relevant documents (like your terms and conditions or cookie policy)
  • Include a ‘last updated’ date and version number near the top of your policy
  • What personal data you collect
  • List all categories of personal information
  • List all categories of sensitive personal information
  • State if you collect neither
  • Why you collect the data 
  • Explain your purpose for collecting the data as well as the legal basis you are relying upon (under the GDPR)

    • Marketing and research purposes
    • Business purposes
    • Targeted ads or analytics
    • Enhancing the user experience
    • To create logins or profiles
    • To complete orders
  • How you collect the personal data
  • Explain how you are gathering the data from the consumer:

    • Voluntarily given by the individual
    • Through payment screens or checkout pages
    • Through online forms
    • By creating an account or user login
    • By placing cookies on users’ browsers
    • In-person (or in-store) recordings
    • NB: Where the personal data you process is not provided by your customer,  you have additional requirements under the GDPR
  • If you share the data with any third parties
  • List what categories of third parties you share or sell personal information to
  • Explain why you share or sell the information
  • State how the information gets shared (i.e., logging in using a social media account)
  • An explanation of your users’ legal rights
  • The rights provided by each law vary, but most of them give users the right to:
    • Access their personal data
    • Request to amend or correct their data
    • Request to delete their data
    • Withdraw their consent to processing
    • Object to, or restrict, the use of their data
    • Obtain a portable copy of their data
    • Opt into or opt out of certain data processing activities
  • A method or explanation for how users can follow through on those data privacy rights
  • A link to a functioning Data Subject Access Request (DSAR or SAR) form
  • State if you honor “Do Not Track” requests and/or Global Privacy Controls (GPC)
  • Provide proper, working contact information
  • A “Do Not Sell or Share my Personal Information” link (under the CCPA/CPRA)
  • A “Limit the Use of my Sensitive Personal Information” link (under the CCPA/CPRA)
  • Explain if sharing the data is voluntary or compulsory, and the consequences for not sharing
  • Clearly inform users if sharing information is required or voluntary
  • State what happens if users choose not to share their personal data
  • A list of applicable laws authorizing or requiring the collection of data (if under PoPIA)
  • Details regarding financial incentives or offers
  • Explain if you provide an incentive (promotion, discount, or other deal) to users who choose to share their information voluntarily
  • Ensure the incentive is equal to the value of the data the user shares with you
  • Information about international data transfers
  • State if you plan to transfer the data internationally
  • Explain what countries the data may get transferred to
  • If necessary, explain that an adequacy decision exists (if under the GDPR)
  • If no adequacy decision exists, explain what safeguards are in place to guarantee the data is safe and how they may obtain a copy of these safeguards
  • Your data retention policy
  • State how long you store personal user data for
  • OR state the process for how you determine how long to retain data to achieve the purposes you explained in your privacy policy
  • Do NOT keep data for longer than necessary
  • Your security measures to protect the personal data
  • Pseudonymisation of the data
  • Encryption of the data
  • Ensure ongoing confidentiality, integrity, resilience, and availability of your processing system and service
  • Have a way to restore the availability or access to personal data, should an event occur
  • Have a process in place for regularly testing, assessing, and evaluating the effectiveness of your security protocols
  • Details about how you make privacy policy updates and inform consumers
  • Update your privacy policy whenever you change your data processing or collection activities
  • Update your privacy policy at least once every 12 months (under the CCPA/CPRA)
  • Re-obtain consent from users whenever appropriate
  • Explain how you’ll update users about the changes to your policy
  • Post a ‘Last Updated’ date clearly on your policy
  • Inform website users they have the right to make a complaint
  • Explain which consumers under which law have the right to submit a complaint about you if they think you’re violating their privacy rights
  • Provide the contact information for the appropriate person or entity to submit those complaints
  • Information about Data Processing Impact Assessments (DPIAs/DPAs/PIAs)
  • Plan to conduct a DPIA/DPA/PIA and explain the process in your privacy policy if you:

    • Use new technologies
    • Track people’s location or behavior
    • Systematically monitor on a large scale a publicly accessible place
    • Process data considered “sensitive personal information”
    • Use the data to make automated decisions that could have legal or significant effects
    • Process children’s data
    • Process data that could result in physical harm to the individuals if it gets leaked
  • Company contact information
  • Full name of company or entity
  • Physical address
  • Working email address and/or phone number
  • Contact Details of your Data Protection Officer, if you have appointed one

This table covers which laws require a privacy policy and their expectations of businesses.

Data Privacy Law Privacy Policy Requirements
🇪🇺 General Data Protection Regulation (GDPR)
  • Your company’s name and contact details
  • Contact details for your Data Protection Officer, if you have one.
  • What personal data you collect
  • How you collect data
  • Why you collect the data (aka, your legal basis)
  • Who you share the data with
  • Details of any transfers of data outside the EU/EEA
  • How long you’ll store the data for
  • Explain how consumers can access their data, request that it be erased or rectified, and object to it being processed
  • Explain your consumers’ right to lodge complaints with their local regulator
  • Explain how consumers can withdraw their consent
  • Explain when the data isn’t collected from the individual
  • Explain if you use automated decision-making or profiling
🇬🇧 The Data Protection Act (UK GDPR)
  • Your company’s name and contact details
  • Contact details for your Data Protection Officer, if you have one.
  • What personal data you collect
  • How you collect data
  • Why you collect the data (aka, your legal basis)
  • Who you share the data with
  • Details of any transfers of data outside the EU/EEA
  • How long you’ll store the data for
  • Explain how consumers can access their data, request that it be erased or rectified, and how they can object to it being used
  • Explain your consumers’ right to lodge complaints with their local regulator
  • Explain how consumers can withdraw their consent
  • Explain when the data isn’t collected from the individual
  • Explain if you use automated decision-making or profiling
🇺🇸 Amended California Consumer Privacy Rights Act (CCPA/CPRA)
  • A description of consumer rights
  • Two or more methods for submitting verifiable consumer requests to act on their rights
  • Categories of personal information collected about consumers
  • The sources where you collect the personal data
  • Your business or commercial purpose for collecting the data
  • The categories of or third parties whom you share the data with (or if you don’t share any data)
  • A list of the categories of personal information shared or sold to any third-party entities
  • A separate list of the categories of data disclosed to others for business purposes
🇺🇸 California Online Privacy Protection Act (CalOPPA)
  • State the effective date
  • List the types of personally identifiable information you collect and how users can opt out of data collection
  • Explain how users can request to review or delete their information
  • Explain how you will communicate changes and updates to the privacy policy
  • Say whether you will share the information will be shared with any third parties
  • Say whether Do Not Track “DNT” requests will be honored or not
🇺🇸 Virginia Consumer Data Privacy Act (VCDPA)
  • Disclose the purpose of processing personal data
  • Categories of data processed
  • Categories of data shared with or sold to third parties
  • Disclose the categories of third parties themselves
  • Explain how consumers can submit requests
  • Provide a mechanism for appeal of decisions related to consumer requests
  • Clearly disclose the processing of personal data for targeted advertising
  • Provide the right to opt out of processing data
🇺🇸 Connecticut Data Protection Act (CTDPA)
  • The categories of personal data processed
  • The purpose of processing personal data
  • How consumers can exercise their rights, including their right to appeal
  • The types of personal data shared with third parties
  • Information about the third parties
  • A way the consumer can contact the data controller online
🇺🇸 Colorado Privacy Act (CPA)
  • What personal data you collect or process
  • Your purpose for collecting and processing the data
  • An explanation of users’ rights and how they can act on them
  • Details about how a user can appeal your choice regarding their request
  • Your company contact information
  • Categories of data shared with third parties, if any
  • The categories of third parties the data gets shared with, if any
  • If the personal data is sold to third parties for targeted advertising
  • How users can opt out of the processing of their data for targeted advertising
🇺🇸 Children’s Online Privacy Protection Act (COPPA)
  • Name, address, and phone number of the company
  • The types of information collected
  • How the information is collected
  • How you use the collected information
  • If you disclose the information to third parties and how those parties use it
  • A description of a legal guardian’s option to consent to the collection of their children’s information without agreeing to the disclosure of that information to third parties
  • An explanation of parental rights to avoid disclosure of more information about children under the age of 13 than is necessary, refuse to provide information about a child and review the information that has been submitted to the operator about the child in question
🇨🇦 Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Disclose your purposes for data collection
  • Explain and implement security measures to protect personal data
  • Explain transparent, open details about data handling practices
  • Say how you meet the ten fair information principles outlined by the law
🇦🇺 Australia’s Privacy Act of 1988
  • Your company name and contact details
  • What personal information you collect and store
  • How you collect the information, and where you store it
  • Reasons why you need to collect the information
  • How you use and disclose the information
  • How users can access their personal information or ask for a correction
  • How users can lodge a complaint if they think their data is mishandled, and how you respond to these complaints
  • If you’re likely to disclose user data outside of Australia, and if so, to what countries
🇳🇿 New Zealand’s Privacy Act of 2020
  • Explain why the data is collected
  • Disclose who receives the data
  • Say if giving the data is compulsory or voluntary
  • State what happens if users don’t share their data
  • Explain users’ right to request to access or correct their data
🇿🇦 South Africa’s Protection of Personal Information Act (PoPIA)
  • Your company’s full name and address
  • The categories of data you collect or process
  • If data is not collected from the user, explain the source from which it’s collected
  • The purpose for why you collect and process the data
  • If giving the information is compulsory or voluntary
  • The consequences if a user does not share their data
  • A list of other relevant laws authorizing (or requiring) the collection of data
  • State if you plan to transfer the data outside of South Africa
  • Who you share the data with
  • Explain your users’ rights to access and rectify their personal data
  • Explain your users’ right to object to the processing of their data
  • Explain your users’ right to submit a complaint to the Information Regulator

Privacy Policy Requirements Explained

In this section, I’ll explain the required clauses from above in more detail.

Personal Data Collection

Every data privacy law gives individuals the right to know what personal data is being collected or processed about them, making this one of the most critical clauses in your privacy policy.

To comply with these laws, you must clearly list all categories of personal data you collect, including sensitive personal information, which is subject to stricter guidelines under the GDPR, the amended CCPA, and the VCDPA.

While the precise definition of personal data varies depending on what legislation you look into, it typically refers to any information that could reasonably be linked to an individual or household, directly or indirectly.

Along with what data you collect, you also need to state:

  • Why you collect the data, including your legal basis if you must comply with laws like the GDPR
  • How you collect the personal data — for example, you might gather the information voluntarily from the user, through web forms, by placing cookies on users’ browsers, or when they sign up for accounts or make purchases, etc.
  • What you do with the data, like using it for marketing or research purposes, to enhance the user experience on your website, or to provide consumers with targeted ads and more specific product recommendations.

Many companies put this information into tables or bullet lists in their privacy policy, with titles representing each specific legal requirement.

This is how the music streaming service Spotify does it, which you can see in the screenshot below showing what data they collect.

Spotify-Personal-Data-Collection

In this next screenshot, you can see Spotify’s table explaining their purpose for using that data.

Spotify-Personal-Data-Collection-purpose

Selling or Sharing of Personal Data

If you share or sell the personal data you collect to any third parties, you must disclose it in your privacy policy. Laws, including the GDPR, the amended CCPA, and others, legally require this.

To comply, you must also list all categories of third parties you share information with or sell the data to directly. For formatting, consider using a table or a bullet list.

Below, see another example of how Spotify writes this clause in its privacy policy.

Spotify-Selling-or-Sharing-of-Personal-Data

Privacy Rights for Consumers

Several data protection laws require you to list individuals’ rights in your privacy policy. A few also stipulate that you must provide instructions or means for following through on those rights.

You can achieve this by creating clauses specific to the users in those regions. For example, if you fall under both the VCDPA and the amended CCPA, make a clause outlining users’ rights in Virginia and another for users in California.

This is how the general merchandise retailer Target does it in their privacy policy, pictured below are their rights pertaining to Californians.

Target-Privacy-Rights-for-Consumers

Next, see their rights pertaining to Virginia residents.

Target-Privacy-Rights-for-Consumers-virginia-residents

Alternatively, you can provide links to completely separate privacy policies based on the unique region of your users.

Whatever method you choose, ensure you follow the specifications outlined by all laws that apply to your business, be it a “Do Not Sell or Share My Personal Information” link as described by the CCPA or a generic Data Subject Access Request (DSAR or SAR) form as recommended for the GDPR.

International Data Transfers

You may be subject to international transfer requirements, particularly by the GDPR and the UK GDPR, if you transfer personal data from users who live in a different country than where your business is located.

Under the GDPR, if an adequacy decision is in place, international data transfer from an EU/EEA nation can occur without other authorizations or assessments.

But if there is no decision in place, as is the case with the US, you must ensure the international transfer meets all requirements outlined by Chapter 5, Articles 44 – 50 of the Regulation.

You also must put a clause in your privacy policy explaining if and where you transfer the data and what protections are in place to ensure the information is appropriately protected and that individuals can follow through on their rights.

See how internet search engine Google writes about international data transfers in their privacy policy below.

Google-International-Data-Transfers

Data Retention Limits

Laws like the GDPR, Canada’s PIPEDA, and others mandate that you can only keep personal data for as long as necessary based on the purposes you outlined in your privacy policy. But you must also describe your data limitation process in a clause within the policy.

If the purpose for collecting personal data doesn’t have a clear end or time limit, explain how you’ll determine when you’ve achieved your goal and no longer need to retain the information.

See how Google writes their data limitation clause in their privacy policy below.

Google-Data-Retention-Limits

Security Measures to Protect Personal Data

Data protection laws like the GDPR and the CCPA hold businesses accountable if personal information gets breached or leaked. You must explain in a clause in your privacy policy what security measures you have in place to prevent this type of cybercrime or error from occurring.

You might consider:

  • Anonymizing the data
  • Encrypting the data
  • Pseudonymization the data

This clause can be short and sweet, but it is legally necessary. Below, see a great example of how the supermarket and general store chain Woolworths phrases the security portion of their privacy policy.

Woolworths-Security-Measures-to-Protect-Personal-Data

Privacy Policy Updates

Legally, your privacy policy must always remain current, so include a clause explaining when you’ll make changes to the policy, why the changes may be necessary, and how you’ll update your users.

The amended CCPA requires you to update your privacy policy at least once every 12 months.

But many of these laws, including the GDPR and the VCDPA, state that you can only use personal data based on what you put in your privacy policy. So you also need to update your policy, inform your users, and sometimes even re-obtain their opt-in consent if you want to change your data collection and processing activities.

See an excellent example of this type of clause from Woolworths’ privacy policy in the screenshot below.

Woolworths-Privacy-Policy-Updates

Remember, this is a living document. It should change as often as you need it to.

Just ensure you properly inform your consumers every time, fix the ‘Last Updated’ date on your policy, and tell your users what exactly is different about your policy.

Submitting Complaints

Laws, including the GDPR, PoPIA, and others, grant individuals the right to submit complaints if they think you violate their data privacy rights.

You must include a clause within your privacy policy explaining this right and giving the proper contact information based on the applicable law.

If you fall under multiple laws, you should consider using a separate clause for each relevant regulator or supervisory authority so your users from those locations can easily find the proper contact information.

Once again, see how Woolworths does it in their privacy policy, shown below.

Woolworths-Submitting-Complaints

For comparison’s sake, this is how simply the popular South African grocery chain Shoprite does it in their privacy policy, highlighted in the screenshot below, to comply with PoPIA.

Shoprite-Submitting-Complaints

Data Processing Impact Assessments (DPIAs)

Where you intend to perform certain types of processing that carry a ‘high risk’ to your consumers, data privacy laws, including the GDPR and the CTDPA, require you to perform DPIAs, and you should explain this process within a clause in your privacy policy to keep your consumers adequately informed.

You must explain that you performed an appropriate DPIA to assess the risks associated with the processing and to identify suitable protections for your users.

Your users also have the right to limit how their sensitive personal data gets used, so give them a way to follow through on their rights regarding this information.

Below, see how higher education group Study.Iceland handles this clause in their privacy policy.

Study-Iceland-Data-Processing-Impact-Assessments-DPIA

Company Contact Information

Several data privacy laws require you to include appropriate contact information within your privacy policy so your users can submit a complaint, ask questions, or request to follow through on their rights to access, amend, or delete their data.

Under the GDPR, if you have appointed a Data Protection Officer, you must also identify them and provide their contact details.

Under laws like COPPA, which protects minors, you must include correct contact information within your privacy policy so legal guardians can protect their children’s privacy rights.

Below, see an example of where the department store Harrods puts their contact details within their privacy policy.

Harrods-Company-Contact-Information

10 Tips for Complying With Privacy Policy Requirements

Before we get to the actual privacy policy checklist, I have a few tips to help you comply with the various privacy policy requirements outlined by the different data privacy laws.

Trust me, I’ve helped many businesses and marketing agencies create privacy policies, and following these tips will make the entire process easier for you.

Penalties for Not Complying With Privacy Policy Laws

I’ve mentioned that violating data privacy laws could lead to hefty fines and a lot of public scrutiny — well, this is where I put my money where my mouth is.

In the table below, read through the financial consequences of violating the data protection laws and regulations I mentioned in the privacy policy checklist.

Data Privacy Law Penalties for Violating the Law
General Data Protection Regulation (GDPR)
  • Maximum penalty of €20 million ($23 million) or 4% of their annual global turnover (whichever is higher)
  • Less severe infractions top out at €10 million ($12 million) or 2% of annual global turnover (whichever is higher)
The Data Protection Act (UK GDPR)
  • Up to £17.5 million or 4% of the global revenue, whichever is greater
  • Or up to £8.7 million or 2% of the worldwide turnover, whichever is greater
Amended California Consumer Privacy Rights Act (CCPA/CPRA)
  • $2,500 per non-intentional violation
  • $7,500 per intentional violation or for offenses involving the personal information of minors under age 16
  • Consumers can pursue private action against a business for the following reasons:
    • Nonencrypted and non-redacted personal information is compromised
    • Email addresses in combination with a password or other details permitting access into an account are breached
California Online Privacy Protection Act (CalOPPA)
  • $2,500 per violation
Virginia Consumer Data Privacy Act (VCDPA)
  • Up to $7,500 per violation
Connecticut Data Protection Act (CTDPA)
  • Up to $5,000 per willful violation
  • Plus equitable remedies, including restitution, disgorgement, and injunctive relief
Colorado Privacy Act (CPA)
  • A range from $2,000 to $20,000 per violation plus possible criminal liabilities
Children’s Online Privacy Protection Act (COPPA)
  • Up to $40,654 per violation
Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Up to $100,000 (CAD) per violation
Australia’s Privacy Act of 1988
  • $50 million;
  • Three times the value of any benefit obtained through the misuse of information;
  • 30 per cent of a company’s adjusted turnover in the relevant period.
New Zealand’s Privacy Act of 2020
  • Up to $10,000
South Africa’s Protection of Personal Information Act (PoPIA)
  • Up to R10 million (about $549,000), up to 10 years in jail, or both.

Depending on the size of your business, not complying with these laws, even by accident, could lead to fines large enough to put your company under.

But beyond losing money, you’d also face public backlash that is arguably just as damaging to your brand as a fine.

Just check out these data privacy statistics suggesting that customers aren’t afraid to end their relationship with you if you don’t treat their personal information with respect:

  • 63% of Internet users believe most companies aren’t transparent about how their data is used, and 48% have stopped shopping with a company because of privacy concerns. (Tableau)
  • 33% of users have terminated relationships with companies over data. They left social media companies, ISPs, retailers, credit card providers, and banks or financial institutions. (Cisco)

The consequences just aren’t worth it. Retain more customers and avoid legal fines and bad press by publishing an honest, compliant privacy policy on your platform.

How Termly Helps Your Business Create a Privacy Policy

By this point, I’ve hopefully convinced you of how essential privacy policies are for businesses operating online.

But don’t worry, you don’t need to make your own — Termly can help do the hard work for you if you use our privacy policy generator or free template.

Termly’s Privacy Policy Generator

Let me take a second to brag about Termly’s privacy policy generator — it’s pretty great.

Our team updates it whenever new regulations enter into force (or if old ones get amended).

Whenever this happens, our customers get emailed with instructions if anything is necessary to ensure compliance with the relevant data privacy laws.

To use it, you just answer easy questions about your business, and it creates a compliant policy based on your answers that’s ready to publish on your website or app.

See a screenshot of it below.

Termly-Privacy-Policy-Generator

Termly’s Privacy Policy Templates

Besides our generator, we also offer a privacy policy template that you can customize to fit any business need you can think of.

Templates require more work on your end because you have to manually fill in the blank sections with details about your business. But it’s already formatted for you and includes clauses that follow the privacy laws I’ve covered in this guide.

Below, see a screenshot of what it looks like.

Termly-Privacy-Policy-Templates

Check out this massive table of guides and templates that you can rely on depending on your industry, what platform you use, or the laws relevant to your business.

Templates by Industry or Privacy Law Templates by Platform or Service

Summary

Privacy policies are essential documents that help businesses comply with applicable laws and build trust by transparently informing users about what you do with their personal information.

With this guide in your toolbox, you’re ready to create a compliant privacy policy that’s extensive enough to follow some of the most significant data privacy laws worldwide.

Pair this information with Termly’s privacy policy generator, and, wow, looks like you’ve just made your privacy compliance process super easy. Nice!

James Ó Nuanáin, CIPP/E, CIPM, CIPT
More about the author

Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT

James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author

Related Articles

Explore more resources