Do You Need a Privacy Policy? GDPR and CCPA, Explained
A plain-English guide to when a privacy policy is legally required, what GDPR and CCPA actually demand, and how the two laws differ — without the legalese.
If your website or app touches personal data — and almost every one does — you need a privacy policy. That is the short answer. The longer answer is worth understanding, because which law applies to you, and what it demands, changes depending on who your users are and where they live. This guide walks through when a policy is required, what GDPR and CCPA actually ask for, and where the two diverge.
None of this is legal advice. It is the working knowledge that helps you brief a lawyer well, or draft a sensible first version yourself before one reviews it.
When a Privacy Policy Becomes Mandatory
There is a common myth that small sites are too minor to bother. The laws do not work that way. The trigger is almost always processing personal data, not company size or revenue.
You are collecting personal data if your site does any of the following:
- Runs an email newsletter or a contact form
- Uses Google Analytics, Meta Pixel, or any tracking cookie
- Lets people create accounts or log in
- Processes payments
- Embeds a chat widget, a comments system, or third-party ads
Each of those involves names, email addresses, IP addresses, or behavioral data — all of which count as personal data under modern privacy law.
On top of the legal trigger, there is a practical one. The companies you depend on require a policy as a condition of service:
- Apple App Store and Google Play both reject apps without a privacy policy URL.
- Google's OAuth consent screen demands a link to one.
- Stripe, PayPal, and most ad networks require you to publish a policy.
So even a tiny side project usually needs a privacy policy the day it goes live — sometimes for the law, almost always for the platforms.
What GDPR Actually Requires
The General Data Protection Regulation governs the personal data of people in the EU and UK. Its reach is extraterritorial: a US company with EU customers is bound by it. The core idea is that you may not process someone's data unless you have a clear, lawful reason, and the person retains strong rights over that data.
A GDPR-compliant privacy policy has to spell out several things in plain language.
A lawful basis for every purpose
This is the part people most often miss. Under Article 6, each thing you do with data needs one of six lawful bases:
| Lawful basis | Typical use |
|---|---|
| Consent | Marketing emails, non-essential cookies |
| Contract | Fulfilling an order, running a paid account |
| Legal obligation | Keeping tax or invoice records |
| Vital interests | Genuine emergencies (rare) |
| Public task | Government and public-authority functions |
| Legitimate interests | Fraud prevention, basic security, some analytics |
You do not get to be vague here. "We process your data to improve our service" is not a lawful basis. You name the basis and tie it to the purpose.
The rights you must honor
GDPR gives people the right to access their data, correct it, delete it ("the right to be forgotten"), restrict how it is used, take it elsewhere in a portable format, and object to certain processing. Your policy has to explain these rights and how someone exercises them, and you generally have 30 days to respond to a request.
The rest of the checklist
A complete GDPR policy also covers data retention (how long you keep things and why), international transfers and their safeguards — Standard Contractual Clauses are the usual mechanism after the Schrems II ruling — your identity as the data controller, your privacy contact or Data Protection Officer, and how someone can complain to a supervisory authority. Non-essential cookies need prior consent, which is why the cookie banner exists.
What CCPA Requires Instead
California's privacy regime — the CCPA, expanded by the CPRA — protects California residents. If you do business in California and meet certain thresholds (revenue, data volume, or selling data), it applies to you.
Here is the conceptual fork that trips people up: CCPA has no lawful-basis requirement. It does not ask you to justify why you collect data the way GDPR does. It assumes you can collect it, then forces transparency and gives consumers control on the back end.
A CCPA policy is built around different pillars:
- Categories of personal information. You disclose what you collect using CCPA's specific category language — identifiers, commercial information, internet activity, geolocation, and so on.
- Purposes and recipients. What business or commercial purpose each category serves, and the categories of third parties you disclose, sell, or share it with.
- Consumer rights. The right to know what you have collected, to delete it, to correct it, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information — plus a guarantee of non-discrimination for exercising those rights.
- The opt-out link. If you sell or share data, you need a "Do Not Sell or Share My Personal Information" link, and you must honor requests made through it, including by an authorized agent.
So a CCPA policy reads more like a disclosure document with an opt-out switch, where a GDPR policy reads like a justification document with a consent gate.
GDPR vs CCPA at a Glance
| GDPR (EU/UK) | CCPA/CPRA (California) | |
|---|---|---|
| Core model | You need a reason to process | You disclose and let people opt out |
| Lawful basis | Required for every purpose | Not a concept |
| Consent | Required for marketing and non-essential cookies | Generally opt-out, not opt-in |
| Key rights | Access, erasure, portability, objection | Know, delete, correct, opt out of sale/sharing |
| Signature feature | "Right to be forgotten" | "Do Not Sell or Share My Personal Information" |
| Who it covers | Anyone in the EU/UK | California residents |
The practical upshot: if you serve both audiences, one policy with two clearly labeled sections is the clean solution. Trying to make a single GDPR section quietly cover California obligations usually leaves gaps in both.
A Realistic Way to Get Compliant
You do not need a five-figure legal bill to get a competent first draft, and you should not copy a competitor's policy — it describes their data practices, not yours, which can make it actively misleading.
A sensible path looks like this:
- Inventory your data. Write down everything you collect, why, and which third parties touch it (Stripe, your analytics, your email tool, your host). This is the single most useful thing you can do, and it is also exactly what GDPR's Record of Processing Activities and CCPA's category disclosures are built from.
- Draft against the right frameworks. Map each data use to a GDPR lawful basis and a CCPA category. A tool like the Privacy Policy & Terms Generator does this for you — you describe the business once and it produces a draft that addresses the regions you select, including the third-party disclosures.
- Have it reviewed. A draft is a starting point. A lawyer or privacy professional should confirm your lawful bases, retention periods, and governing law before you publish. The draft makes that review faster and cheaper because they are editing, not starting from a blank page.
The Bottom Line
If you collect personal data, you need a privacy policy — both because the law requires it and because the platforms you rely on do. GDPR and CCPA are not interchangeable: one asks you to justify processing and honor broad rights, the other asks you to disclose fully and let consumers opt out. Understand which applies, draft against the correct framework rather than a borrowed template, and get a professional to check it before it goes live.
For the related question of what else your site's legal footer needs, see privacy policy vs terms of service. When you are ready to produce a draft, the step-by-step guide to generating one with AI covers the workflow end to end.
Frequently asked questions
Does my small website really need a privacy policy?
If it collects any personal data — an email signup, a contact form, analytics cookies, a login — then yes, in practice you need one. GDPR applies the moment you process an EU or UK resident's data, regardless of your company's size or location. Beyond the law, Google, Apple, and payment processors all require a published policy to use their services, so for most sites it is effectively mandatory.
What is the main difference between GDPR and CCPA?
GDPR requires a lawful basis before you process anyone's data and grants broad rights like erasure and portability. CCPA has no lawful-basis concept; it assumes you can collect data but gives California consumers the right to know what you hold, delete it, and opt out of its sale or sharing. GDPR is consent-and-purpose driven; CCPA is disclosure-and-opt-out driven.
Can I use one privacy policy for both GDPR and CCPA?
Yes, and most companies do. A single policy can contain a GDPR section covering lawful bases and EU rights, plus a CCPA section covering the categories of personal information and California consumer rights. What you should not do is write a GDPR-style policy and assume it satisfies CCPA, or vice versa — the required disclosures genuinely differ.
What happens if I don't have a privacy policy?
Regulators can fine you — GDPR penalties reach into the millions, and California's authority issues its own fines per violation. More immediately for most small businesses, you can be removed from the App Store or Google Play, have your Stripe or ad account suspended, and lose user trust. The legal risk is real, but the operational risk usually bites first.
Try Privacy Policy & ToS Generator
Generate a privacy policy and terms of service tailored to GDPR, CCPA, or a general baseline. 5 credits per run — sign up free and get 10 credits.
Open Privacy Policy & ToS Generator