Do I need a privacy policy if my website doesn't collect personal data?

Almost certainly yes. Even a static brochure site typically collects IP addresses (a personal identifier under GDPR), uses Google Analytics or Plausible (which logs cookies and device fingerprints), embeds YouTube or Vimeo (which set tracking cookies), or has a contact form (which captures email and name). Under GDPR, CCPA, COPPA, and most modern privacy laws, all of these activities trigger disclosure obligations. The safe rule: if your site has any JavaScript, any third-party embed, any form, or any analytics, you need a privacy policy. The only sites that genuinely don't need one are pure static HTML pages with no tracking, no forms, no embeds, served from a CDN that doesn't log IPs — extremely rare in 2026. The cost of having one is near-zero (10 minutes to generate); the cost of not having one ranges from $2K state-level CCPA fines to €20M GDPR enforcement actions for repeat or willful violators.

What's the difference between GDPR, CCPA, and COPPA?

GDPR (EU General Data Protection Regulation, 2018) applies to any business processing personal data of EU/EEA residents, regardless of where the business is located. Maximum fine: €20M or 4% of global annual revenue, whichever is higher. CCPA (California Consumer Privacy Act, 2020, expanded into CPRA in 2023) applies to businesses serving California residents that meet specific revenue or volume thresholds ($25M annual revenue, 100K+ consumer records, or 50%+ revenue from data sales). Maximum fine: $7,500 per intentional violation. COPPA (Children's Online Privacy Protection Act, 1998, U.S.) applies to any service "directed to children under 13" or with "actual knowledge" of collecting children's data. Maximum fine: $51,744 per violation in 2026 (FTC inflation-adjusted). The three regulations differ in scope, consent requirements, and enforcement, but a well-drafted privacy policy can address all three with layered disclosures. Other regimes (LGPD in Brazil, PIPEDA in Canada, PIPL in China, India's DPDPA 2023) follow similar structures.

How often should I update my privacy policy?

Review and update at least every 12 months as a baseline, and immediately whenever you: add a new data-collecting tool (analytics, CRM, support chat), change how data is shared with third parties, add a new feature that processes personal data (AI features, recommendation engines, personalization), enter a new geographic market with different privacy laws, or experience a material data breach. GDPR Article 13 and CCPA both require notification of "material changes" via banner or email; minor wording fixes don't require notification. Best practice is to maintain a "Last Updated" date at the top of the policy and a versioned changelog at the bottom showing what changed and when. Iubenda's 2025 industry benchmark found that fewer than 18% of small-business privacy policies were updated within the past 12 months, and over 40% mentioned third-party tools (Google Analytics 3, Mailchimp Mandrill) that have been deprecated for years. Stale policies are a red flag for regulators.

What is consent under GDPR and how is it different from "opt-out"?

GDPR requires "freely given, specific, informed, and unambiguous" consent before processing most personal data — the user must take an affirmative action (clicking "Accept" on a cookie banner, ticking an unchecked checkbox). Pre-checked boxes, implied consent through site usage, or consent buried in a long privacy policy don't qualify. CCPA, by contrast, operates on an opt-out model: businesses can collect and process data by default, and consumers have the right to opt out of "sale" or "sharing" of personal information. The two models conflict on default behavior. Best practice for a U.S./EU-serving website: use a CMP (consent management platform) like OneTrust, Cookiebot, Iubenda, or Klaro that geo-detects the user and presents the appropriate banner — opt-in for EU/UK/Brazil, opt-out for U.S. (with the IAB CCPA opt-out signal). The IAB TCF v2.2 framework standardizes how consent strings flow from the CMP to ad-tech vendors; almost all programmatic ad partners require TCF compliance to bid on EU traffic.

How do cookie banners work and which one should I use?

Cookie banners are GDPR-compliance widgets that present a consent choice on first visit and then store the user's preferences in a first-party cookie. The major options in 2026: Cookiebot (Cybot, ~$8-79/mo), OneTrust ($50K+/year enterprise), Iubenda ($27-99/mo), Termly (free with limits, $10-39/mo paid), CookieYes (free with limits, $10-50/mo), and Klaro (open-source, self-hosted free). Differences: Cookiebot has the largest cookie database for auto-detection (12,000+ cookies); OneTrust dominates enterprise compliance suites; Iubenda has the cleanest UX and best multi-language support; Termly is the cheapest paid option with reasonable features; CookieYes is similar to Termly but with weaker cookie detection; Klaro is the lightest-weight open-source choice. Don't build your own banner — proper TCF v2.2 compliance, cookie scanning, and consent log retention are non-trivial. The banner must include: clear "Accept" and "Reject" options at equal visual weight (the "dark pattern" Reject button hidden in fine print is illegal under GDPR), a link to the privacy policy, and granular toggles for analytics/marketing/preferences.

How long should I retain user data?

Only as long as necessary for the purpose for which it was collected — that's GDPR's "storage limitation" principle. Document specific retention periods in your privacy policy, then enforce them via automated deletion in your data warehouse. Common benchmarks: account data (until account deletion + 30 days for backup propagation), email marketing lists (24 months from last engagement, 36 months max), support tickets (24 months after resolution), payment records (7 years for U.S. tax compliance, varying for EU per member state), analytics logs (14-26 months for Google Analytics 4 default), security logs (12 months for SIEM tools, longer for incident-response purposes). Indefinite retention is essentially never justified except for explicit legal obligations. Implement deletion via scheduled jobs in your data infrastructure (BigQuery, Snowflake, Postgres) — manual deletion never gets done. Retention failures are the most common GDPR violation found in 2024-2025 enforcement actions, accounting for 31% of fines per the EDPB's 2025 annual report.

What is a Data Processing Agreement (DPA) and do I need one?

A DPA is a legal contract between you (the data "controller") and any third party that processes personal data on your behalf (the "processor") — required by GDPR Article 28 and CCPA. Examples of processors: your hosting provider (AWS, Vercel), analytics tool (Google Analytics, Plausible), email platform (Mailchimp, SendGrid), CRM (HubSpot, Salesforce), payment processor (Stripe, Paddle), customer support (Intercom, Zendesk). Each one needs a signed DPA before you start sharing data. Major SaaS vendors auto-include DPAs in their terms; you accept by signing up. Smaller vendors may require manual DPA negotiation. Maintain a "vendor list" with the DPA-signature status for each, updated whenever you onboard a new tool. CCPA has slightly different requirements (called a "service provider agreement"), but the same vendor relationships apply. Failure to have DPAs in place is a strict-liability violation — both you and the processor share fines, and contractual chains can't shift the liability.

Does my mobile app need a privacy policy too?

Yes — and both Apple's App Store and Google Play require one before you can publish. Apple's App Privacy Details (launched 2020 with iOS 14) require you to declare what data your app collects, what it's used for, and whether it's linked to the user's identity. Google Play has a similar Data Safety section (2022). Both stores reject submissions that lack a privacy policy URL or have inconsistent disclosures between the store listing and the policy itself. The mobile policy can be a section within your main website privacy policy, or a separate page — pick whichever matches your IA. Apple specifically scrutinizes apps for kids (COPPA-impacted), apps with location tracking, apps with health data (HIPAA-impacted), and apps with third-party SDK telemetry (Firebase, Facebook SDK, AppsFlyer). Document all SDKs in the policy by name and what each one collects. App Tracking Transparency (ATT) consent is separate from the privacy policy — ATT controls cross-app tracking IDs (IDFA) and requires its own opt-in prompt.

What happens if I have a data breach?

Under GDPR, a personal data breach must be reported to the lead supervisory authority within 72 hours of awareness, except when the breach is "unlikely to result in a risk to the rights and freedoms of natural persons." If high risk, affected individuals must also be notified directly without undue delay. CCPA does not have a 72-hour requirement but does require notification to affected California residents and the state Attorney General if the breach involves Social Security numbers, driver's licenses, or financial account credentials. State-level U.S. breach notification laws vary widely (49 states + DC have their own). Best practice: maintain an incident response runbook with contact templates, regulator notification scripts, and a chain-of-command for the IR lead, legal, and PR. The 2025 Verizon DBIR reports the average breach detection-to-disclosure time is 207 days; cutting that to under 30 days reduces fines and litigation risk by 4-6x. Practice tabletop exercises annually so the runbook isn't cold when you actually need it.

Can I use AI to generate a privacy policy?

Yes for the structural and standard-clause portion, no for the company-specific facts and legal review. AI is excellent at drafting boilerplate sections (definitions, user rights under GDPR, contact information format, retention placeholder language) but cannot determine which third-party tools you actually use, what data those tools collect, what your retention periods are, or whether your business meets CCPA's specific revenue thresholds. The 2025 IAPP guidance explicitly recommends AI-assisted drafting paired with human legal review before publication. Our generator handles the structural draft from your inputs (company name, what data you collect, what tools you use) — but you still need to: (1) verify the tool list matches reality, (2) confirm retention periods are enforceable in your data infrastructure, (3) have a privacy attorney review the final draft for your specific jurisdiction, and (4) maintain it over time. Treat AI-generated policies as a starting point, never as a substitute for legal advice.

Do I need separate policies for different jurisdictions?

Not separate documents — but you do need jurisdiction-specific sections within a single policy. The standard structure: a globally applicable opening (definitions, contact info, what we collect, why), then jurisdiction-specific sections labeled clearly: "Notice to EU/EEA/UK Residents (GDPR)," "Notice to California Residents (CCPA/CPRA)," "Notice to Brazilian Residents (LGPD)," "Notice to Chinese Residents (PIPL)" if applicable. Each jurisdiction-specific section restates the rights and contact channels under that regime in plain language. The "Verifiable Consumer Request" process under CCPA requires specific procedural disclosures (deletion request channel, ID verification process, response timeline) that don't apply to other jurisdictions. The "Data Protection Officer" appointment may be required under GDPR for businesses processing data at scale, but isn't a CCPA concept. Don't try to write a single one-size-fits-all section — regulators expect to see explicit per-jurisdiction language.

How does this compare to Termly, Iubenda, or TermsFeed?

Termly ($10-39/mo, free tier with limits) is the most full-featured paid generator, including auto-updates when laws change, embedded cookie banner, and DPA templates. Iubenda ($27-99/mo) is the European-focused leader with strong multi-language support and tight CMP integration; the same company runs the cookie consent platform. TermsFeed (free for basic, $99-499 for premium) is template-driven without auto-updates. Our generator is free with no usage limits, produces a customizable policy structure with GDPR/CCPA/COPPA placeholders, and outputs clean HTML you can paste into any framework. We don't auto-update when laws change (you need to regenerate), don't include a cookie banner (use Cookiebot, Klaro, or similar), and don't handle DPAs (those are vendor-specific contracts). For a basic SaaS, marketing site, or content business, our tool is sufficient. For an enterprise B2B SaaS with multiple data flows, regulated industries (healthcare, finance), or international operations, the auto-updating paid services are worth the cost.

Privacy Policy Generator

Generate a comprehensive privacy policy for your website or app step by step.

Company Profile

Let's start with the basics. This information will be used to identify your organization throughout the legal documents.

Business Legal Name*

Website URL

Physical Headquarters

Street Address

City

State

ZIP

info

Ensure the legal name matches exactly as it appears on your formation documents. This is critical for the legal enforceability of your privacy policy.

STEP 1 / 5

What this tool does

Privacy Policy Generator delivers fast, reliable results for generate a customizable privacy policy. gdpr, ccpa-aware. cookies, analytics, th.

Designed to fit into your existing SEO and content workflow with no setup overhead.

How to use it

Five steps.

Enter your company details

Provide company name, contact email, business address, and your business model (SaaS, ecommerce, content site, mobile app).

List the data you collect

Check off categories — account info, payment info, analytics, marketing, support tickets, location, etc — to drive specific disclosure clauses.

List your third-party tools

Add Stripe, Mailchimp, Google Analytics, HubSpot, or whatever vendors you use; the policy will reference them by name.

Generate the policy

Click Generate to produce HTML output with GDPR, CCPA, and COPPA placeholders matched to your inputs.

Have a privacy attorney review

Before publishing, send the draft to a privacy attorney for jurisdiction-specific review — AI drafts are starting points, not legal advice.

When teams use it

Six common workflows.

Indie SaaS launching with first paying customers

A solo founder shipping their first paid SaaS to U.S. and EU users needs a GDPR/CCPA-compliant privacy policy that covers Stripe, Mailchimp, PostHog, and Google Analytics — without paying $99-499 for TermsFeed Premium or hiring a $400/hr privacy lawyer for the first draft.

Ecommerce store on Shopify or Stripe Checkout

A direct-to-consumer ecommerce founder with payment processing, email marketing, abandoned-cart tracking, and customer reviews needs a policy disclosing all payment, marketing, and analytics tools by name with retention periods and CCPA opt-out language.

Marketing agency redrafting client privacy policies

An agency rebuilding 10+ client websites annually needs a fast, defensible policy template per client that covers each client's actual stack (HubSpot, Intercom, Hotjar) without copy-pasting boilerplate that doesn't match the real data flows.

Content site running ads and affiliate links

A blogger or content publisher running Google AdSense, affiliate networks, and email newsletter subscriptions needs a clear policy disclosing ad tracking, affiliate cookies, and email list practices — with FTC affiliate disclosure language adjacent to the privacy section.

Mobile app submitting to Apple App Store and Google Play

A mobile developer preparing for store submission needs a privacy policy URL that aligns with Apple's App Privacy Details and Google's Data Safety declarations, listing all SDKs (Firebase, AppsFlyer, Sentry) and what each collects.

B2B SaaS pursuing enterprise contracts

A B2B SaaS pursuing enterprise customers needs a policy that satisfies procurement reviews — with explicit DPA language, sub-processor list, security and breach notification commitments, and clear separation of "service data" from "customer content".

Platform guides

Integrate with major platforms.

Next.js / React

Generate the policy in Grigora's tool.
Save the output as app/privacy/page.tsx (App Router) or pages/privacy.js (Pages Router).
Link to /privacy from your site footer and signup form.
Update the "Last Updated" date in the source whenever you change the policy.
Add a redirect from /privacy-policy to /privacy if both URLs are referenced externally.

WordPress

Create a new Page named "Privacy Policy" in WordPress admin.
Switch to the Code Editor view and paste the generated HTML.
Set the page slug to /privacy or /privacy-policy.
Add the Privacy Policy URL in Settings > Privacy.
Link from the footer (theme customizer or widget) and from contact forms.

Webflow

Create a new Page named "Privacy Policy" in the Designer.
Add an Embed element and paste the generated HTML.
Set the page slug and SEO meta in page settings.
Add a footer link to /privacy in the Symbols (global footer).
Publish to your live domain.

Shopify

Open Shopify Admin > Online Store > Pages and click "Add page".
Title it "Privacy Policy" and paste the generated HTML in the body.
Save and copy the page URL.
Go to Settings > Policies > Privacy Policy and paste the URL or content into Shopify's native field.
Confirm the policy appears in the checkout flow and footer.

Mobile App (iOS / Android)

Host the privacy policy on your website at a stable URL (e.g., yoursite.com/privacy).
In App Store Connect, paste the URL into the Privacy Policy URL field of your app metadata.
In Google Play Console, paste the same URL into Store Listing > Privacy Policy.
Ensure the policy includes specific SDK disclosures (Firebase, AppsFlyer, etc).
Re-submit if the URL changes; both stores reject builds with a 404 privacy policy URL.

Grigora vs. alternatives

Side-by-side.

Capability	Privacy Policy Generator	Termly	Iubenda	TermsFeed	DIY / Manual
Free tier available	Yes — unlimited	Free with limits	No	Free with branding	No
GDPR + CCPA + COPPA coverage	Yes	Yes	Yes	Limited	Yes
Auto-update when laws change	No (regenerate)	Yes	Yes	No	Yes
Multi-language support	English only	Yes (8 langs)	Yes (10+ langs)	No	Yes
Embedded cookie banner included	No (use Klaro/Cookiebot)	Yes	Yes	No	Yes
Mobile app store-ready	Yes	Yes	Yes	Limited	Yes
Pricing for solo founder	Free	$10-39/mo	$27-99/mo	Free with branding	$99-499 one-time
DPA / sub-processor list templates	No	Yes	Yes	No	Yes

Common errors and fixes

Eight issues users hit.

No privacy policy on the site at all

Cause: Founder assumed only ecommerce sites need one.

Fix: Generate and publish a policy at /privacy or /privacy-policy; link it from every page footer and from form submissions.

Stale policy referencing deprecated tools (Universal Analytics)

Cause: Policy was written in 2021 and never updated.

Fix: Audit current third-party tools, regenerate the policy, and update the "Last Updated" date.

Missing CCPA-specific disclosures

Cause: Used a GDPR-only template that omits California rights.

Fix: Add a "Notice to California Residents" section with sale/sharing opt-out language and Verifiable Consumer Request procedures.

No data retention periods specified

Cause: Boilerplate said "as long as necessary" without specifics.

Fix: List concrete retention durations per data category (account data, email lists, analytics logs, payment records).

Cookie banner with hidden Reject button

Cause: Designer made Accept prominent and Reject hidden in a sub-menu.

Fix: Show Accept and Reject at equal visual weight; the "dark pattern" Reject hidden behind a link violates GDPR per 2023 EDPB guidance.

No DPA signed with key processors (Mailchimp, Stripe)

Cause: Founder signed up to vendors without reading the terms.

Fix: Audit your vendor list, confirm DPA is in place for each (most major SaaS auto-include in TOS), document the status.

Privacy policy contradicts what the cookie banner says

Cause: Banner offers granular cookie categories but the policy doesn't describe them.

Fix: Align the policy's cookie section with the categories shown in the banner; both should reference the same vendor list.

Children's data collection without COPPA disclosure

Cause: App or site that's "general audience" but actually appeals to under-13s.

Fix: If 25%+ of users could be under 13, add COPPA-compliant parental consent flow and explicit COPPA section in the policy.

Original data

2026 study.

€20M / 4% global revenue

Maximum GDPR fine in 2026

$7,500

Maximum CCPA fine per intentional violation

<18%

Small-business privacy policies updated within past 12 months

72 hours

GDPR breach notification deadline

Frequently asked questions

Twelve answers.

Related free tools

Other utilities.

Try Privacy Policy Generator now

Free, unlimited, no signup.

Try the Tool