Topic · DOCUMENTS
Privacy policy requirements
What every privacy policy must contain by jurisdiction.
A privacy policy is mandatory under nearly every privacy law worldwide. The contents differ — but a single well-structured policy can satisfy GDPR, UK GDPR, CCPA/CPRA, LGPD and most others.
Required content (universal core)
- Identity and contact details of the controller (name, address, email, DPO if applicable)
- Categories of personal data collected and the source (collected from user, derived, or third party)
- Purposes of processing for each category
- Legal basis (GDPR-style: consent, contract, legitimate interest, legal obligation, vital interests, public task)
- Recipients — your sub-processors, vendors, and any disclosure to third parties
- Transfers outside the user’s jurisdiction, with the safeguards used (DPF, SCCs, BCRs)
- Retention periods or the criteria used to determine them
- User rights and how to exercise them — see DSAR
- Right to lodge a complaint with the supervisory authority
- Whether providing data is statutory/contractual and the consequence of refusing
- Existence of automated decision-making or profiling, with logic and consequences
Jurisdiction-specific additions
CCPA/CPRA: Categories of “sensitive personal information”, whether you sell or share, “Do Not Sell or Share My Personal Information” link, financial-incentive disclosure if applicable, retention by category, statistics on the past 12 months of DSARs received.
LGPD (Brazil): Identification of the encarregado (DPO), explicit reference to data subject rights under LGPD Art 18.
Quebec Law 25: Mandatory disclosure of automated decisions and the factors involved before the decision is rendered.
India DPDPA: Itemized notice with specific purposes, data subject rights including grievance redressal, Data Protection Officer contact.
Practical structure
The pattern that scales across regimes: opening summary table (1-page TL;DR), then sections matching the universal core list, then per-jurisdiction supplements as toggleable accordions or a single appendix. Date-stamp every change. Maintain a changelog.
Don’t bury the controller’s identity. Don’t write “we may use your data for various purposes” — every regulator now treats this as void for vagueness.
Translation requirements
Privacy policies must be available in the local language for any jurisdiction targeting that country. Germany requires German for German-targeted sites; France requires French under Loi Toubon; Italy requires Italian; Brazil requires Portuguese. English-only is acceptable in Ireland, UK, Singapore.
See templates for starting points.