Privacy Policy Template: What to Include to Stay Compliant in 2026

Not having a compliant privacy policy puts your website at risk, even if you only collect email addresses. By 2025, GDPR fines had totaled around €1.11 billion, which gives a sense of how seriously regulators take this.

A solid privacy policy template, customized to your actual data practices, is enough for most websites. This guide walks you through exactly what to include, which laws apply to you, and a free privacy policy template.

A privacy policy is a legal document that tells your visitors what personal data you collect, why you collect it, who you share it with, and how long you keep it.

The GDPR (EU), CCPA (California), PIPEDA (Canada), and LGPD (Brazil) all require a publicly available, jargon-free privacy policy from any business, regardless of size, that collects personal data from users in those regions.

Personal data is broader than most people assume. It includes names and email addresses, yes, but also IP addresses, cookie identifiers, and behavioral data collected via Google Analytics or Meta Pixel.

Third-party services tighten the rules further. Google AdSense, Google Analytics, the Apple App Store, and the Meta advertising platform all require you to have a compliant privacy policy before you can use their services.

The penalties for non-compliance aren't theoretical. Under GDPR, fines reach 4% of global annual turnover or €20 million, whichever is higher. Under CCPA, intentional violations cost up to $7,500 per incident.

A good privacy policy template must cover these sections:

1. Who you are and how to contact you

State your business name, registered address, and a working contact email. Under GDPR, you must also name a Data Protection Officer (DPO) if applicable. This section tells users who's responsible for their data.

2. What personal data you collect

List every category of personal data you collect. Common categories include contact information (name, email, phone), usage data (IP address, browser type, pages visited), device data, and payment information.

Under CCPA, you must categorise this properly. Vague statements like "we collect information to improve our service" don't satisfy the requirement.

3. How you collect data

You must describe the methods by which personal data is collected, including direct interactions (such as contact forms, checkout pages, and newsletter signups) and automated means (such as cookies, tracking pixels, analytics tools, and server logs).

4. Why you use it (legal basis)

Under GDPR, you must state the lawful basis for each type of processing. The six lawful bases are: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. CCPA doesn't require a lawful basis in the same way, but you must explain your purposes clearly.

5. Who you share data with

Name the categories of third parties that receive user data. This includes analytics providers (Google, Mixpanel), payment processors (Stripe, PayPal), advertising networks (Meta, Google Ads), and email marketing tools (Mailchimp, Klaviyo).

Under CCPA, if you sell data, which includes sharing it with advertising partners, you must disclose this and provide a "Do Not Sell My Personal Information" link.

6. User rights and how to exercise them

There are eight GDPR rights: Information, access, rectification, erasure, restriction, portability, objection, and automated decision-making rights. CCPA rights include the right to access, delete, correct, opt out of data sales, etc.

Instead of just listing the rights, explain exactly how users can exercise them (a contact email, a web form, a contact number).

7. Cookies and tracking technologies

Describe what cookies you use, what they do, and how users can manage preferences. This is required by the EU's ePrivacy Directive and is expected under CCPA. In this section, provide a link to the detailed cookie policy.

8. Data retention

How long do you keep personal data? Under GDPR, you may only keep data for as long as necessary for the stated purpose. Spell out your retention periods by data category or the criteria for deciding the duration.

9. AI and Automated Decision-Making (New in 2026)

Privacy notices need to catch up with how companies use AI. If you're running personal data through AI systems, your notice should inform that.

Several states like Colorado, Virginia, California and others give consumers the right to opt out of automated decisions that affect housing, employment or credit. Some states, like Colorado, want plain-language explanations of how the logic works and whether it's been tested for bias.

One area worth particular attention: updating your privacy policy to enable new AI data practices without notifying users. The FTC has indicated this could constitute a deceptive practice. If changes are material, users should be informed, not left to discover revisions on their own.

10. Security measures

Describe the technical and organizational measures you take to protect personal data. You don't need to reveal specifics, but you should give an overview of the measures implemented such as encryption, access controls, and breach notification procedures.

11. International data transfers

If you transfer data from the EU to a non-EEA country, you must explain how you ensure adequate protection. Standard Contractual Clauses (SCCs) are the most common mechanism for US-based businesses.

12. Last updated date

Show when the policy was last updated, prominently. AI search systems weight content freshness heavily, and regulators want to see that you maintain your policy over time. Under CCPA, you must review and update your policy at least annually.

This is the question most website owners get wrong. It's not about where your business is based but about where your users are located.

• GDPR (EU/UK): Applies to any website that has users in the European Union, regardless of where the business operates. There's no revenue threshold. A one-person consulting firm in Texas with EU clients must comply.
• CCPA/CPRA (California): Applies to for-profit businesses doing business in California that meet one of these thresholds: annual gross revenue above $25 million, processes data of 100,000+ California residents annually, or derives 50%+ of revenue from selling personal data.
• PIPEDA (Canada): Applies to any private-sector organisation that collects, uses, or discloses personal information in the course of commercial activities involving Canadian residents.
• LGPD (Brazil): Applies to organisations processing data of individuals in Brazil, regardless of where the organisation is located.
• New US State Laws in 2026: 20+ US state privacy laws are enacted, and each requires a compliant privacy policy. If you have US users and don't know which state laws apply, start with CCPA. It's the strictest, and compliance with it covers most state requirements

Writing a privacy policy from scratch is not easy. You need legal knowledge, familiarity with your own data processing activities, and time to keep it current as laws change. Here's the practical path to write your privacy policy:

Step 1: Audit your data collection

List every tool and mechanism on your site that handles user data. This includes, but isn't limited to, Google Analytics, any contact form plugins, email list sign-up forms, payment processors, live chat widgets, and advertising pixels. Every one of these may collect some form of personal data.

Step 2: Choose a privacy policy template or generator

A privacy policy template gives you a starting structure you fill in manually. A privacy policy generator asks questions and produces a tailored document. Generators are faster, more accurate, and easier to update as regulations change.

Step 3: Customise it to your actual data practices

A generic privacy policy that doesn't reflect your real data processing activities is worse than no policy. It creates liability by making promises you don't keep. Therefore, ensure that your privacy policy represents your data practices.

Step 4: Add your AI and cookie disclosures

If your site uses cookies, tracking pixels, or AI-powered features, these need their own disclosures.

Step 5: Publish it in the right places

Your privacy policy must be easy to find. Link to it in your website footer (visible on every page), on any form or page where you collect personal data, and in any email marketing you send.

Step 6: Set a review reminder

Review your privacy policy routinely. Set a calendar reminder if needed. When you add a new analytics tool, a new payment processor, or an AI feature, update your policy within a reasonable timeframe.

Both work. They serve slightly different needs.

A free privacy policy template is a document with placeholder text you fill in manually. It's useful if you want to understand what a policy says before publishing it, if you're comfortable reviewing legal language, or if you just need a document format (Word, PDF).

A privacy policy generator asks questions about your business and produces a tailored policy automatically. It's faster, more likely to cover all required elements for your jurisdiction, and easier to update when laws change. If your primary goal is smart compliance, a generator is the right tool.

The risk with copy-pasting any generic template is significant. Privacy policies are copyright-protected documents, and more importantly, a policy that doesn't accurately describe your data practices is legally meaningless. If your policy says you don't share data with third parties, but you run Google Analytics, that's a false statement with legal consequences.

People mix these up constantly. They're related but not the same document.

A privacy policy covers all personal data your website collects, think of names, emails, payment details, behavioral data, everything. It's required by GDPR, CCPA, PIPEDA, and most major privacy laws.

On the other hand, a cookie policy (also called a cookie notice) specifically addresses the cookies and tracking technologies your website uses. It explains what each cookie does, how long it lasts, who set it, and how users can manage their preferences. Under GDPR's ePrivacy Directive, you need a cookie policy and a consent banner to obtain user consent before dropping non-essential cookies.

You can include the cookie information inside your privacy policy. But under GDPR, it's cleaner to keep them separate. Your cookie consent banner should link directly to a standalone cookie policy, and your privacy policy should reference and link to that document.

CookieYes handles both. The privacy policy generator covers your full data practices, while the cookie consent management platform and cookie policy generator handle cookie-specific compliance.

👉 Explore the Cookie Policy generator's features.

Privacy policy generator by CookieYes produces a compliant, plain-language privacy policy in under a few minutes.

What laws it covers:

• GDPR (EU and UK)
• CCPA/CPRA (California)
• PIPEDA (Canada)
• LGPD (Brazil)
• VCDPA (Virginia), CTDPA (Connecticut), CPA (Colorado), and more US state laws
• PDPA (Singapore), PDPL (Saudi Arabia), POPIA (South Africa), and other global regulations

How it works:

1. Answer a short set of questions about your business and data practices
2. The generator produces a customized privacy policy tailored to your selected laws
3. Copy the text or embed the HTML directly on your website

For ongoing compliance, CookieYes is a complete privacy tech companion that unifies consent management, cookie policies, and privacy policies into a single, intelligent platform.