Privacy PolicyMay 28, 2025 · 6 min read

What Must a Privacy Policy Include? (2025 Requirements)

GDPR, CCPA, COPPA, and app store requirements — all in one place. What your privacy policy must legally say.

A Privacy Policy is not optional. If your website or app collects any personal data — even just email addresses or IP addresses through analytics — you need one. But what exactly must it say?

The requirements vary by jurisdiction and platform. Here's a comprehensive breakdown of what's required in 2025.

Universal Requirements (All Websites)

Regardless of where your users are located, every Privacy Policy should include:

1. What data you collect

List every category of personal data you collect: names, email addresses, IP addresses, payment information, cookies, device identifiers, location data, usage data, etc.

2. Why you collect it (purpose)

Explain the purpose for each type of data. "We collect your email address to send you account notifications and, with your consent, marketing emails."

3. How you use it

Be specific about how data is used: to provide the service, to send emails, to improve the product, for analytics, for advertising, etc.

4. Who you share it with

Name or describe the third parties who receive user data: payment processors (Stripe), analytics (Google Analytics), email providers (Mailchimp), cloud hosts (AWS), etc.

5. How long you keep it

State your data retention periods. "We retain account data for as long as your account is active plus 90 days after deletion."

6. How you protect it

Briefly describe your security measures: encryption, access controls, regular security audits, etc.

7. How to contact you

Provide a way for users to reach you with privacy questions: email address, physical address, or a contact form.

GDPR-Specific Requirements

If any of your users are in the EU or EEA, GDPR adds these additional requirements:

  • Legal basis for processing (consent, contract, legitimate interest, etc.)
  • Identity and contact details of the data controller
  • Data Protection Officer contact (if applicable)
  • Information about international data transfers and safeguards
  • User rights: access, rectification, erasure, portability, objection
  • Right to lodge a complaint with a supervisory authority
  • Whether providing data is a contractual/statutory requirement
  • Existence of automated decision-making and profiling (if applicable)

CCPA-Specific Requirements

If any of your users are California residents, CCPA requires your Privacy Policy to include:

  • Categories of personal information collected in the last 12 months
  • Categories of sources from which personal information is collected
  • Business or commercial purpose for collecting personal information
  • Categories of third parties with whom you share personal information
  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of the sale of personal information
  • Right to non-discrimination for exercising CCPA rights

App Store Requirements

Apple App Store

Apple requires all apps to have a Privacy Policy if the app collects any personal data. The policy must be linked in the app's App Store listing AND within the app itself. Apple also requires you to fill out a "Privacy Nutrition Label" when submitting your app.

Google Play Store

Google requires all apps to provide a Privacy Policy if the app handles personal or sensitive user data. The policy must be available on the app's Google Play listing AND accessible within the app via a link.

What Your Privacy Policy Should NOT Do

  • Don't use vague language like "we may use your data to improve our services" — be specific
  • Don't bury important information in legalese that average users can't understand
  • Don't include pre-ticked checkboxes as consent mechanisms
  • Don't claim you "never share data" if you use Google Analytics (you do)
  • Don't use outdated templates that don't reflect your actual practices

How Long Should a Privacy Policy Be?

There's no legal minimum or maximum length. A Privacy Policy should be as long as it needs to be to accurately describe your data practices — no longer, no shorter.

A typical Privacy Policy for a small SaaS or website is 1,000–3,000 words. If you're collecting a lot of data or serving multiple jurisdictions, it may be longer.

The trend is toward "layered" Privacy Policies: a short summary at the top with the key points, followed by a more detailed full policy for those who want to read it.

Privacy Policy Checklist

What data you collect (categories)
Why you collect it (purpose)
Legal basis for processing (GDPR)
How you use it
Who you share it with
How long you keep it
How you protect it
International transfers and safeguards
User rights (access, deletion, portability, etc.)
How to contact you
Cookie disclosure
Children's privacy statement (COPPA if applicable)
How users will be notified of policy changes
Effective date of the policy

Generate a complete Privacy Policy in 60 seconds

Covers all requirements: GDPR, CCPA, app stores, and more. Free plan available.

Generate Free Privacy Policy
← Back to Blog