Yes, almost certainly. Any website that collects personal data needs a privacy policy. That includes running Google Analytics, showing ads, having a contact form, taking payments, or serving visitors from the EU, UK, Canada, or Australia. The platform you use likely requires one too.
Below: which laws apply by region, which third-party tools force the issue, what happens if you skip it, and the honest exception.
Do You Need a Privacy Policy? The Short Answer
You need a privacy policy the moment your website collects, stores, or processes any personal information. That means names, email addresses, IP addresses, cookies, payment data, or device identifiers. Analytics tools, contact forms, newsletter signups, ad scripts, and e-commerce checkouts all trigger this requirement. The only realistic exception is a truly static website that collects nothing at all.
The Quick Check: Signs You Need One
Run this quick check against your own site.
| If your site does any of this | You need a privacy policy |
|---|---|
| Uses Google Analytics, Plausible, or any analytics tool | Yes |
| Shows ads via Google AdSense, Meta, or any ad network | Yes |
| Has a contact form, comment section, or newsletter signup | Yes |
| Lets users create accounts or log in | Yes |
| Sells products or takes payments via Stripe or PayPal | Yes |
| Sets non-essential cookies or tracking scripts | Yes |
| Receives visitors from the EU, UK, Canada, or Australia | Yes |
| Is published as an app on the Apple App Store | Yes (all apps, unconditionally) |
| Is published on Google Play | Yes (all apps, even with no data collected) |
| None of the above, and the site is genuinely static | You may not need one (see below) |
For a full explanation of what a privacy policy is and what it must cover, see our dedicated explainer.
When Is a Privacy Policy Legally Required?
Privacy law applies based on where your visitors are, not only where your business is based. A US-based business serving EU visitors is subject to GDPR. An Australian business collecting emails from California residents must consider CCPA. Every major jurisdiction now has its own rule.
GDPR (European Union and UK Visitors)
GDPR requires a privacy notice from any organisation that processes personal data of people in the EU, regardless of where that organisation is based. Article 3 of the GDPR establishes this extraterritorial reach explicitly. A UK startup, a US SaaS company, and a Brazilian e-commerce store are all in scope if they have EU users.
Articles 13 and 14 of the GDPR specify what the notice must disclose. At collection, you must tell users who you are, what data you collect, why you collect it, and how long you keep it. You must also name who you share it with and how users can exercise their rights. A privacy policy is the standard mechanism for meeting this obligation.
The UK operates under UK GDPR (post-Brexit), enforced by the ICO. The ICO's position on small organisations is clear:
"If your company holds personal data, which is generally any small business, charity or group that has information about people such as their names and email addresses, you'll need a privacy notice."
The Data (Use and Access) Act 2026 received Royal Assent on 19 June 2026. Its provisions are in force, with commencement plans still being published. The maximum GDPR fine is 20 million euros or 4% of annual global turnover, whichever is higher.
For the full breakdown of what a GDPR-compliant privacy policy must include, see our dedicated guide.
CCPA and US State Privacy Laws
California's CCPA covers for-profit businesses operating in California. It applies if the business meets any one of three thresholds.
- Annual gross revenue over $25 million
- Buying, selling, or sharing personal information of 100,000 or more California consumers or households per year
- Deriving 50% or more of annual revenue from selling California residents' personal information
Non-profits and government entities are exempt from CCPA. Many small websites fall below all three thresholds, but two other triggers often still apply.
First, CalOPPA, California's older 2004 privacy law, covers any commercial website that collects personally identifiable information from California residents with no revenue threshold at all. A blog with a contact form and California visitors likely falls within CalOPPA even if CCPA does not apply.
Second, other US states have enacted their own laws. Virginia (VCDPA), Colorado (CPA), Connecticut, Utah, Texas, and a growing list of additional states now have privacy statutes. Most include privacy policy disclosure requirements.
When CCPA does apply, the policy must disclose the consumer rights below.
- Know what personal information is collected and how it is used
- Delete their personal information
- Opt out of the sale or sharing of their personal information
- Correct inaccurate personal information
- Limit the use of sensitive personal information
- Non-discrimination for exercising these rights
CCPA penalties are $2,500 per unintentional violation and $7,500 per intentional violation or any violation involving minors.
PIPEDA (Canada)
Canada's PIPEDA applies to private-sector organisations handling personal information in the course of commercial activity. Principle 8 of PIPEDA, the Openness principle, requires organisations to make their privacy policies and practices readily available to individuals. In practice, that means publishing a privacy policy.
Provinces with substantially similar legislation (Alberta, British Columbia, and Quebec) have their own laws that displace PIPEDA for provincially-regulated activities. Quebec's Law 25 (fully in force since September 2023) is the strictest. It requires a publicly available privacy policy and a designated privacy governance officer. Fines reach CAD $25 million or 4% of worldwide turnover.
The Privacy Act and APP 1 (Australia)
Australia's Australian Privacy Principle 1 (APP 1) requires covered organisations to publish a "clearly expressed and up-to-date APP Privacy Policy," available free of charge. The Privacy Act applies to private-sector organisations with annual turnover over AUD $3 million.
APP 1 specifies what the policy must cover:
- The kinds of personal information collected
- How it is collected and held
- The purposes for which it is collected, held, used, and disclosed
- How to access and correct your personal information
- How to make a privacy complaint and how it will be handled
- Whether personal information is likely to be disclosed overseas
Organisations under the AUD $3 million threshold are generally exempt. Health service providers, credit reporting bodies, and organisations that trade in personal information are not exempt. From December 2026, additional disclosure is required for automated decision-making systems affecting individual rights.
COPPA and Sector Laws (US Children, Health, and Finance)
The US has no single federal law requiring all websites to post a privacy policy. But three sector laws make it mandatory for specific audiences.
- COPPA applies to websites and online services directed to children under 13, or that have actual knowledge they are collecting data from children under 13. COPPA-covered operators must post a privacy policy disclosing what information is collected, how it is used, whether it is shared with third parties, and how parents can exercise their rights. Penalties reach $51,744 per violation. See FTC guidance on COPPA for the full requirements.
- HIPAA applies to covered entities handling protected health information.
- GLBA applies to financial institutions under FTC jurisdiction.
If your site or app falls into one of these categories, a privacy policy is mandatory and prescriptive.
The Third-Party Services That Force You to Have One
Even if no law technically applies to your site, the third-party tools you use almost certainly require a privacy policy in their terms of service. Violating those terms risks account suspension before any regulator acts.
Here are the common services and what each requires:
| Service | What the terms require |
|---|---|
| Google Analytics | ToS §7 states: "You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies, identifiers for mobile devices or similar technology used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data." |
| Google AdSense and Google Ads | Require a privacy policy disclosing data collection and ad personalization. |
| Meta (Facebook) Ads and Pixel | Require a privacy policy covering the data collected and shared with Meta. |
| Stripe | Terms require a privacy policy disclosing how payment data is collected, stored, and processed. |
| PayPal | Terms require a privacy policy covering data collection and use. |
| Mailchimp and email tools | Terms require disclosure of how subscriber data is collected and used. |
| Apple App Store | Guideline 5.1.1 requires ALL apps to include a link to their privacy policy in App Store Connect metadata and within the app itself, unconditionally. |
| Google Play | Policy states all apps must post a privacy policy, including "apps that do not access any personal and sensitive user data." |
The "I don't sell anything" argument does not hold. A site with a free newsletter and Google Analytics has triggered the Google Analytics ToS, ePrivacy rules, and likely GDPR or CalOPPA. That happens before any commercial activity begins.
Do You Need a Privacy Policy for an App, Blog, or Small Business?
For apps: Yes, unconditionally. Both Apple App Store Guideline 5.1.1 and the Google Play policy require a privacy policy link for every app. Google Play is explicit: even apps that collect no data must still submit a policy. An app without one will be rejected from both stores.
For blogs and personal sites: Yes, in almost every real case. A blog running Google Analytics, showing ads, accepting comments, or sending a newsletter collects personal data. The ICO confirms this applies to small operations. Any site that holds people's names and email addresses needs a privacy notice. A purely static blog with no analytics, no ads, no comments, and no signup forms may be the exception (see the next section).
For small businesses: Yes, almost certainly. If any privacy law applies to your visitors, you need a privacy policy. The same is true if you use any of the third-party tools above. The ICO notes that even businesses without a website must inform people about their privacy practices if clients find them online. As the ICO puts it, some businesses are legally required, so do not assume you are exempt.
If you have no website at all: The ICO advises that you still need a privacy notice if customers or clients find your business online. A brief notice is enough. If your business is fully offline with no digital presence, you may inform people in other ways, such as print or verbal notice. That is an increasingly narrow situation.
What Happens If You Don't Have a Privacy Policy?
The consequences fall into two categories: immediate practical risks and regulatory risks. The practical risks hit first.
The concrete consequences, ordered from most immediate to most severe:
- Third-party account suspension: Google can terminate your Analytics or AdSense account for violating its ToS. Meta can remove your Pixel access. Stripe can suspend payment processing. App stores can reject or remove your app. These happen faster than any regulator acts.
- App rejection: Without a privacy policy, your app will not pass App Store or Google Play review.
- Regulatory fines: GDPR fines reach 20 million euros or 4% of annual global turnover. CCPA penalties are $2,500 to $7,500 per violation. COPPA penalties reach $51,744 per violation. Quebec Law 25 fines reach CAD $25 million.
- Private lawsuits and consumer complaints: CCPA creates a private right of action for data breaches. Consumers can file complaints with data protection authorities, triggering investigations.
- Lost user trust: Visitors who cannot find your privacy policy are more likely to distrust the site and leave.
For a small brochure site, regulatory enforcement is unlikely. But the third-party-account risk is immediate and real for almost every site running analytics or ads. That risk alone is sufficient reason to publish a policy.
When You Don't Need a Privacy Policy
You may not need a privacy policy if your website is genuinely static and collects nothing. That means ALL of the following are true:
- No analytics tools (no Google Analytics, no Plausible, no Fathom, no pixel)
- No cookies beyond strictly necessary session cookies set by the server
- No contact form, comment section, newsletter signup, or chat widget
- No user accounts or login functionality
- No payments or e-commerce
- No third-party scripts (no ad networks, no social embeds, no CDN tracking)
- No visitors from jurisdictions with active privacy laws (EU, UK, California, Canada, Australia)
In practice, this describes very few real websites. Most "simple" sites still run at least a basic analytics tool or embed a contact form. And even basic shared hosting providers log IP addresses, which can constitute personal data under GDPR.
Many owners of genuinely static sites still publish a short privacy policy anyway. It costs nothing, builds trust, and future-proofs the site against the moment they add a contact form or an analytics snippet. The website legal pages hub covers all three documents you may eventually need.
What a Privacy Policy Must Include
A compliant privacy policy must address the elements below. They are synthesized across GDPR Articles 13 and 14, CCPA, PIPEDA, and APP 1.
- Who you are: the identity and contact details of the data controller or business
- What personal data you collect: categories of information (names, emails, IP addresses, payment data, device identifiers)
- How and why you collect it: the purposes of collection and, under GDPR, the legal basis (consent, legitimate interest, contract, legal obligation)
- Who you share it with: third-party processors, service providers, ad networks, analytics providers
- How long you keep it: data retention periods or the criteria used to determine them
- Individual rights: how users can access, correct, delete, or restrict their data, and how to opt out of sale (CCPA) or withdraw consent (GDPR)
- How to contact you: a specific email address or form for privacy requests
- Cookie and tracking disclosure: what cookies you set, what they do, and how users can manage them
- International data transfers: whether data is transferred outside the EU/UK or Australia, and what safeguards apply
- Last-updated date: when the policy was last reviewed
This list is the universal floor. For a ready-to-adapt starting point that you fill in for your own site, see our privacy policy template.
Privacy laws keep expanding. Several jurisdictions including India (DPDPA 2023, implementation rules not yet finalized) and additional US states are adding requirements. A policy published today needs periodic review as laws change.
How to Get a Privacy Policy for Your Website
Three routes are available, and each carries a different trade-off.
- A template you fill in yourself. Best for tight budgets and simple sites with straightforward data practices. The trade-off: you must adapt it accurately to your site's real data practices, or the policy will describe a site you do not run.
- A privacy policy generator. Best for most small and mid-sized sites that want a policy tailored to their actual data collection without a lawyer. The trade-off: it reflects what you tell it, so accuracy depends on answering the guided questions correctly.
- A lawyer. Best for high-risk, regulated, or complex businesses, such as health data, children's services, financial services, or enterprise SaaS. The trade-off: most thorough, but slowest and most expensive.
One shortcut to avoid is copying another website's privacy policy verbatim. That policy describes their data practices, not yours. A policy that misrepresents your actual data practices creates more liability than not having one at all.
FAQs
Is a privacy policy a legal requirement?
Yes, in most cases. GDPR requires one for any site processing personal data of EU or UK residents. CCPA requires one for qualifying California-facing businesses. PIPEDA requires one for Canadian commercial organisations. Australia's APP 1 requires one for covered organisations. COPPA, HIPAA, and GLBA mandate one for specific sectors. If none of those laws apply, the terms of tools you use, such as Google Analytics or the Apple App Store, likely still require one.
Do I need a privacy policy if I only use Google Analytics?
Yes. Google Analytics' own terms of service require you to post a privacy policy and disclose your use of Google Analytics and how it collects data. Google Analytics also collects personal data including IP addresses, which triggers GDPR for EU visitors and other privacy laws depending on your audience. "I only have analytics" is one of the most common reasons people think they're exempt. They are not.
Do I need a privacy policy if I don't sell anything?
Yes, almost always. Selling is not the trigger. Collecting personal data is the trigger. A free newsletter, a contact form, or a comment section triggers the requirement under most privacy laws. It also violates the terms of any email marketing tool you use. The real test is not whether you take money. It is whether you collect any personal information.
Do I need a privacy policy for a personal blog?
Yes, if the blog runs analytics, shows ads, has comments, or sends a newsletter. Almost every blog does at least one of those things. A purely static blog with no analytics, no ads, no comment section, and no signup forms may qualify for the exception described above. If you're unsure, publish a short policy: it takes minutes with a generator and eliminates the uncertainty.
Can I copy another website's privacy policy?
No. Another site's privacy policy describes their data practices, not yours. A copied policy that does not accurately describe how YOUR site collects and uses data is inaccurate. An inaccurate policy creates liability rather than reducing it: regulators and courts look at whether the policy reflects actual practice, not whether one exists. Use a template you adapt carefully, a generator that reflects your answers, or a lawyer.
Is a privacy policy the same as a cookie policy or terms and conditions?
No. They are three separate documents that serve different purposes:
| Document | What it covers |
|---|---|
| Privacy policy | All personal data practices: what you collect, why, how, who you share with, and individual rights |
| Cookie policy | Specifically cookies and tracking technologies: what they are, why you use them, and how visitors can manage them |
| Terms and conditions | The rules for using your site or service: acceptable use, intellectual property, liability, dispute resolution |
A privacy policy and a cookie policy can be combined in one document for simpler sites. For international and e-commerce sites, keeping them separate is cleaner. See our cookie policy template for the cookie-specific document.
Do I need a privacy policy if my business is not in the EU or California?
Likely yes. GDPR and CCPA apply based on where your VISITORS are, not where you are. A Canadian business with EU visitors is subject to GDPR. A UK business with California visitors must assess CCPA. Your own jurisdiction almost certainly has its own rule: PIPEDA in Canada, the Privacy Act in Australia, CalOPPA for any California-facing commercial site. A growing list of US states adds more. Third-party tool requirements apply regardless of geography.
How much does a privacy policy cost?
It ranges from free to several hundred dollars. A free generator or a basic template costs nothing. Paid generator tiers typically run a few dollars per month. A lawyer-drafted policy for a complex or regulated business runs from a few hundred to a few thousand dollars depending on scope. The right choice depends on your risk level and the complexity of your data practices.
Generate a Privacy Policy With Consently
Consently's privacy policy generator builds a policy from your answers about your data collection, usage, sharing, retention, and user rights. The result reflects YOUR site's actual practices, not a generic template copied from someone else.
Three specific capabilities make it useful beyond a basic template:
- Guided generation from your actual data practices: the generator asks about your data collection, purposes, third-party processors, and user rights so the output matches what your site actually does
- Rich-text editing and direct embedding: the generated policy is editable inside a rich-text editor and can be embedded directly on your site; it sits alongside Consently's cookie policy and terms generators, so all three website legal documents come from one tool
- Paired with consent collection: Consently's cookie banner, scanner, and consent logs work alongside the policy, so what you disclose in the policy matches the consent you actually collect; when laws change, you can regenerate or update the policy from the same dashboard
Consently provides compliance assistance, not a replacement for professional legal advice. For high-risk, regulated, or complex businesses (healthcare, financial services, children's services), a lawyer remains the right call.
If your site collects any personal data, you need a privacy policy. A generator is the fastest route for most sites. Not ready to generate one yet? Start with a template to see what a complete policy looks like, then build the real one when you are ready.
Try Consently free and generate your privacy policy alongside your cookie banner and consent management in one tool.

