Privacy Policy Requirements: What You Must Include (2026)

A privacy policy is not optional for most websites and apps operating in the United States or serving users in the European Union. Federal law, state statutes, and international regulations all impose specific disclosure requirements, and the consequences of getting it wrong range from regulatory fines to class action lawsuits. This guide breaks down what the law actually requires, jurisdiction by jurisdiction.

Federal Privacy Policy Requirements

The United States lacks a single, comprehensive federal privacy law. Instead, privacy policy obligations come from a patchwork of sector-specific statutes and regulatory enforcement actions.

FTC Act (Section 5)

The Federal Trade Commission enforces privacy policy compliance primarily through Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices." The FTC does not require companies to have a privacy policy, but if a company publishes one, it must follow it. Failing to honor the promises in your privacy policy constitutes a deceptive practice.

The FTC has brought hundreds of enforcement actions against companies for privacy policy violations, resulting in consent orders, multi-million dollar penalties, and mandatory compliance programs. In 2024 alone, the FTC pursued actions against companies for overpromising data deletion, misrepresenting data sharing practices, and using dark patterns to obtain consent.

COPPA (Children's Online Privacy)

The Children's Online Privacy Protection Act (15 USC 6501-6506) imposes the most prescriptive federal privacy policy requirements. Websites and online services directed at children under 13 (or those with actual knowledge they collect data from children under 13) must include a privacy policy that clearly discloses:

• All categories of personal information collected from children
• How the information is used
• Whether information is disclosed to third parties (and to whom)
• A description of parental rights, including the right to review, delete, and refuse further collection
• Contact information for the site operator
• The effective date of the policy

Under the COPPA Rule (16 CFR Part 312), operators must obtain verifiable parental consent before collecting, using, or disclosing a child's personal information. The privacy policy must link directly from the homepage and any page where information is collected from children.

The FTC can impose penalties of up to $50,120 per violation (adjusted for inflation as of 2024) for COPPA violations.

HIPAA (Health Privacy)

The Health Insurance Portability and Accountability Act requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) to provide a Notice of Privacy Practices to patients. This notice must explain how protected health information (PHI) may be used and disclosed, patient rights regarding their PHI, and the entity's legal duties (45 CFR 164.520).

GLBA (Financial Privacy)

The Gramm-Leach-Bliley Act requires financial institutions to provide clear, conspicuous privacy notices explaining their information-sharing practices. The Privacy Rule (Regulation P) mandates annual privacy notices to customers and initial notices to new customers before sharing nonpublic personal information.

California Privacy Policy Requirements

California leads the nation in privacy policy regulation, with multiple overlapping statutes that effectively set the standard for businesses operating online in the US.

CalOPPA (California Online Privacy Protection Act)

CalOPPA (Cal. Bus. & Prof. Code 22575-22579) was the first US law to require commercial websites and online services to post a privacy policy. Its reach extends beyond California: any operator that collects personally identifiable information from California consumers must comply, regardless of where the business is located.

CalOPPA requires the privacy policy to:

• Identify the categories of PII collected and the categories of third parties with whom it may be shared
• Describe the process for notifying users of material changes to the policy
• Identify its effective date
• Disclose how the operator responds to Do Not Track signals
• Disclose whether third parties may collect PII about users' online activities across different websites
• Be conspicuously posted (linked from the homepage using the word "privacy")

Violations of CalOPPA can be enforced by the California Attorney General, with penalties of up to $2,500 per violation after a 30-day cure period.

CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)

The CCPA, as amended by the CPRA (effective January 1, 2023), imposes the most detailed privacy policy requirements of any US state law. Under Cal. Civ. Code 1798.100(b), businesses that meet the applicability thresholds must disclose in their privacy policy:

Categories of personal information collected in the preceding 12 months, organized by the statutory categories (identifiers, commercial information, internet activity, geolocation, biometric data, professional information, education information, inferences, and sensitive personal information).

Purposes of collection for each category. Generic statements like "to improve our services" are insufficient. The CCPA requires specificity about each business or commercial purpose.

Sources of personal information. Businesses must identify the categories of sources from which personal information is collected.

Third-party sharing and selling. The policy must disclose whether personal information is sold or shared for cross-context behavioral advertising, which categories are sold or shared, and to which categories of third parties.

Retention periods. The CPRA added a requirement to disclose the retention period for each category of personal information, or the criteria used to determine the period (Cal. Civ. Code 1798.100(a)(3)).

Consumer rights. The policy must describe the right to know, right to delete, right to correct, right to opt out of sale/sharing, and right to limit use of sensitive personal information, along with instructions for exercising each right.

Do Not Sell link. Businesses that sell or share personal information must include a "Do Not Sell or Share My Personal Information" link on their homepage.

The California Privacy Protection Agency (CPPA) and the California Attorney General can impose penalties of $2,500 per unintentional violation and $7,500 per intentional violation or violation involving minors' data.

California's Age-Appropriate Design Code Act

Effective July 1, 2024 (though enforcement was temporarily enjoined), the CAADCA adds requirements for businesses offering online services likely to be accessed by children under 18. Privacy policies must include a data protection impact assessment for features likely to be accessed by minors.

Other State Privacy Policy Requirements

Colorado Privacy Act

Colorado's CPA (effective July 1, 2023) requires controllers to provide a privacy notice that includes: categories of personal data processed, purposes, consumer rights (access, delete, correct, opt out), categories of third parties receiving data, and how to exercise rights. Notably, Colorado requires disclosure of profiling activities and the right to opt out of profiling for decisions with legal or similarly significant effects.

Virginia Consumer Data Protection Act

Virginia's VCDPA (effective January 1, 2023) requires privacy notices covering: categories of data processed, purposes, consumer rights (access, delete, correct, portability, opt out of targeted advertising/sale/profiling), a description of the appeals process if a rights request is denied, and categories of third parties receiving data.

Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, and Others

As of early 2026, over 15 US states have enacted comprehensive privacy laws with privacy policy requirements. See the full US state privacy laws comparison for details. While the specifics vary, most follow the same general template: disclose what you collect, why, who you share it with, how long you keep it, and what rights consumers have. The trend is toward increasing granularity, with newer laws adding requirements for sensitive data disclosures, automated decision-making transparency, and minors' data protections.

GDPR Privacy Policy Requirements

The GDPR imposes the most detailed privacy notice requirements of any global framework. Articles 13 and 14 specify what must be disclosed depending on whether data is collected directly from the data subject or obtained from a third party.

Article 13 (Direct Collection) Requirements

When collecting personal data directly from the data subject, the controller must provide:

• Identity and contact details of the controller (and representative, if applicable)
• Contact details of the DPO (if one exists)
• The purposes of processing and the legal basis for each purpose
• Legitimate interests relied upon (if using that basis)
• Recipients or categories of recipients of the data
• Whether data will be transferred to a third country and the safeguards in place
• Retention period (or criteria for determining it)
• All data subject rights: access, rectification, erasure, restriction, portability, objection
• Right to withdraw consent (if consent is the legal basis)
• Right to lodge a complaint with a supervisory authority
• Whether provision of data is a statutory or contractual requirement
• Existence of automated decision-making, including profiling, with meaningful information about the logic, significance, and consequences

Article 14 (Indirect Collection) Additions

When data is obtained from a source other than the data subject, the controller must additionally disclose the categories of personal data obtained and the source of the data.

Plain Language Requirement

Article 12 requires that all of this information be provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language." Privacy policies written in dense legal jargon violate this requirement. Several data protection authorities (notably France's CNIL and Ireland's DPC) have cited lack of transparency as the basis for enforcement actions.

GDPR Penalties

Failure to provide adequate transparency (including an insufficient privacy policy) can result in fines of up to 20 million euros or 4% of global annual turnover under Article 83(5)(b).

Plain Language and Accessibility Requirements

Beyond the GDPR's explicit plain language mandate, several US standards and laws push toward readable privacy policies.

The FTC has repeatedly emphasized that privacy policies must be understandable to ordinary consumers. In enforcement actions, the FTC has cited buried disclosures, contradictory statements, and overly technical language as deceptive practices.

Readability benchmarks. While no US law specifies a reading level for privacy policies, best practice (and the standard used in several FTC consent orders) targets an 8th-grade reading level. For cookie-specific disclosure requirements, see our cookie banner requirements guide. Research published by Stanford University and Carnegie Mellon found that most privacy policies require a college reading level, which is well above what regulators expect.

Multi-language requirements. The GDPR requires the privacy notice to be in the language of the data subjects served. Under the CCPA, businesses must provide privacy notices "in the languages in which they provide" their products or services. California regulations specifically require that the notice be available in every language the website or app supports.

Accessibility. Under the Americans with Disabilities Act (ADA) and Section 508 of the Rehabilitation Act, privacy policies on government and publicly accessible websites should be compatible with screen readers and meet WCAG 2.1 AA standards. Several courts have extended ADA web accessibility requirements to private websites.

How Often to Update Your Privacy Policy

No US federal law specifies an update frequency. However, practical requirements effectively mandate regular reviews:

• CCPA: The policy must include the date it was last updated and must be reviewed and updated at least once every 12 months (CCPA Regulations 11 CCR 7011).
• CalOPPA: Requires description of the process for notifying users of material changes.
• GDPR: No specific update frequency, but the policy must be accurate at all times. Material changes to processing activities require updated notices.

Best practice is to review the privacy policy whenever:

• A new category of personal data is collected
• Data is shared with a new category of third parties
• A new privacy law takes effect in a jurisdiction where you operate
• Processing purposes change
• A data breach occurs that changes your security posture

Common Privacy Policy Mistakes

Several recurring errors expose businesses to enforcement risk:

Copy-paste templates. Generic privacy policy generators produce policies that may not accurately reflect the business's actual data practices. Regulators have fined companies for privacy policies that described data practices the company did not actually engage in (and vice versa).

Overpromising on data deletion. Stating that data "will be deleted upon request" without accounting for legal retention obligations, backup systems, or third-party data sharing creates a deceptive practice if the company cannot actually fulfill the promise.

Missing the "sale" definition. Under the CCPA, "sale" includes sharing personal information for monetary or "other valuable consideration." Many companies fail to disclose ad-tech partnerships, analytics sharing, and data broker relationships that constitute a "sale" under this broad definition.

Burying the opt-out. Both the CCPA and GDPR require that opt-out mechanisms and rights descriptions be easy to find. Requiring consumers to navigate through multiple pages to find opt-out links has been cited in enforcement actions.

Not covering all data sources. Privacy policies often describe website data collection but omit offline data collection, mobile app data, IoT device data, or data obtained from third-party brokers.

Sources and References

This article provides general legal information about privacy policy requirements across US and international jurisdictions. Privacy laws change frequently and vary by state and country. Consult an attorney for advice specific to your situation.