Generate a free, legally compliant privacy policy for your website or app. Covers GDPR, India's DPDPA, CCPA, and cookie consent requirements for 2026.
A privacy policy is no longer a legal checkbox — it is an enforceable contract with your users, and regulators in three major jurisdictions are now actively enforcing it.
GDPR fines reached €4.2 billion cumulatively by end of 2025. The DPDPA (Digital Personal Data Protection Act) came into force in India in 2024, with the Data Protection Board beginning enforcement proceedings in Q1 2026. California's CPRA extended CCPA with stricter requirements effective January 2023, with enforcement teeth. If your website collects any personal data — and every website that uses analytics does — you need a privacy policy that addresses all applicable regulations.
Use the free WOWHOW privacy policy generator to create a compliant policy. This guide explains what every section must cover and why.
Which Regulations Apply to Your Website?
Applicability is determined by where your users are located, not where your business is incorporated.
GDPR (EU General Data Protection Regulation)
Applies if you process personal data of EU/EEA residents — regardless of where your business is based. A bootstrapped SaaS in Bangalore with 100 EU customers is subject to GDPR. The regulation requires a lawful basis for each processing activity, explicit consent for non-essential cookies, and the ability to fulfill data subject rights (access, erasure, portability) within 30 days.
DPDPA (India's Digital Personal Data Protection Act, 2023)
Applies to processing of digital personal data of Indian residents, whether the processing occurs in India or outside India. Came into force progressively from 2024. Key requirements: consent must be free, specific, informed, and unconditional; notice must be given before or at the time of collection; Data Fiduciaries must appoint a Data Protection Officer if processing "significant" volumes; data localization requirements apply for certain categories.
The DPDPA introduced the concept of "Significant Data Fiduciary" — entities processing large volumes of sensitive data must meet additional obligations including data localization, government audits, and algorithmic impact assessments.
CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
Applies if your business meets any of: annual gross revenue above $25M, processes personal information of 100,000+ California consumers annually, or derives 50%+ of annual revenue from selling/sharing personal information. CPRA (effective 2023) added rights over sensitive personal information, opt-out of automated decision-making, and a dedicated California Privacy Protection Agency (CPPA) for enforcement.
Mandatory Sections in Every Privacy Policy
A compliant 2026 privacy policy must include all of the following. Each section's requirements differ by regulation.
1. Identity of the Data Controller
GDPR requires the full legal name of the data controller (the entity that determines how data is processed), its registered address, and contact details. DPDPA requires the name and contact details of the Data Fiduciary. CCPA requires the business's legal name and contact information. This section must be specific — "Acme Corp" is insufficient; include legal entity type, incorporation state/country, and registered office.
2. What Personal Data You Collect
List every category of personal data you collect, with specificity. "We collect information about you" fails GDPR's transparency requirement. A compliant entry looks like: "Email address and name (provided at registration), IP address and browser user agent (collected automatically), pages viewed and time spent (analytics), payment method type and last 4 digits of card (processed via Razorpay/Stripe, not stored on our servers)."
3. Legal Basis for Processing (GDPR)
GDPR requires a documented lawful basis for each processing activity. The six lawful bases are:
- Consent: User explicitly agreed — required for marketing emails, non-essential cookies
- Contract performance: Processing necessary to deliver the service the user signed up for
- Legal obligation: Processing required by law (e.g., tax records)
- Vital interests: Rare — emergency situations involving physical safety
- Public task: Government and public bodies only
- Legitimate interests: Business need that doesn't override user rights — requires a Legitimate Interests Assessment (LIA) and must be documented
"Legitimate interests" is the most-used basis by commercial websites, but it requires genuine balancing of your interests against user rights. Relying on it without a documented LIA is a compliance risk.
4. How You Use the Data
List every purpose for which collected data is used: account management, order fulfillment, fraud prevention, analytics, marketing communications, product improvement, legal compliance. Map each purpose to its lawful basis (GDPR) or consent mechanism (DPDPA). Do not list purposes you do not actually use — overly broad claims create liability.
5. Third-Party Sharing and Data Processors
Disclose every third party that receives user data. This includes: analytics providers (Google Analytics, Mixpanel), payment processors (Stripe, Razorpay), email service providers (SendGrid, Postmark), cloud hosting providers (AWS, Vercel, Hetzner), customer support tools (Intercom, Crisp), advertising platforms (Meta, Google Ads).
GDPR requires Data Processing Agreements (DPAs) with all processors. Most major providers have standard DPAs available for signature. Under DPDPA, sub-processors also fall under the Data Fiduciary's obligations. Under CCPA, you must disclose whether you "sell" or "share" personal information for advertising purposes.
6. Data Retention Periods
GDPR's storage limitation principle requires that personal data is not kept longer than necessary for the stated purpose. A compliant policy specifies retention periods by data category: "Account data: retained for the duration of your account plus 3 years for legal compliance. Analytics data: aggregated after 14 months, raw data deleted. Payment records: 7 years as required by tax law."
7. User Rights
All three regulations grant users rights over their data. The specific rights and their scope differ:
| Right | GDPR | DPDPA | CCPA/CPRA |
|---|---|---|---|
| Access | Yes | Yes | Yes |
| Correction | Yes | Yes | Yes |
| Erasure | Yes | Yes (erasure) | Yes (deletion) |
| Portability | Yes | Yes | Yes |
| Object to processing | Yes | Withdraw consent | Opt-out of sale/sharing |
| Non-discrimination | Implicit | Implicit | Explicit |
Your privacy policy must include a mechanism to exercise each applicable right — an email address, a web form, or an in-app settings page — and the timeframe within which you will respond (30 days for GDPR and DPDPA; 45 days for CCPA).
8. Cookies and Tracking Technologies
List all cookies and tracking technologies in use, categorized as: strictly necessary (no consent required), functional, analytics, and marketing. Under GDPR and DPDPA, non-essential cookies require prior, specific consent. A cookie banner that pre-checks "accept all" or makes rejection more difficult than acceptance does not meet the standard — regulators have begun fining for dark-pattern cookie banners specifically.
9. International Data Transfers
If you transfer personal data outside the EU/EEA (for GDPR) or outside India (for DPDPA), you must identify the transfer mechanism. GDPR-approved mechanisms: Standard Contractual Clauses (SCCs), Adequacy Decisions, Binding Corporate Rules. DPDPA: central government must notify approved countries — as of 2026, the approved country list has not been finalized, creating compliance uncertainty for cross-border transfers.
Comments · 0
No comments yet. Be the first to share your thoughts.