To write a privacy policy for your website, you need eight sections: what data you collect, how you collect it, why you collect it, how you use it, who you share it with, how long you keep it, what rights users have, and how to contact you with privacy requests. Fill in each section accurately for your specific site and you have a legally functional privacy policy.
Most website owners treat a privacy policy as optional until they face a consequence. It is not optional. The GDPR (Europe), CCPA (California), and Google AdSense program policies all require a published privacy policy — and Google can suspend AdSense accounts for non-compliance without warning. Apple and Google both require privacy policies for any app listed on their stores, regardless of how simple the app is.
Use the free Privacy Policy Generator at RoughTools to create a customized, compliant privacy policy in minutes — or follow the step-by-step guide below.
This is general information, not legal advice. Consult a licensed attorney before using any legal document for your specific situation.
The Required Sections of a Compliant Privacy Policy
A privacy policy is not a creative document — it is a disclosure document. Every section answers a specific question that privacy laws require you to answer for your users.
Here is the complete structure of a GDPR-compliant privacy policy:
SECTION 1 — What data you collect
Personal data: [email addresses, names, IP addresses, etc.]
Non-personal: [aggregate analytics, browser type, page views]
Sensitive data: [health info, financial data — disclose if applicable]
SECTION 2 — How you collect it
Methods: [contact forms, cookies, analytics tools, payment processors]
Third-party: [Google Analytics, Facebook Pixel, Stripe, Mailchimp]
SECTION 3 — Why you collect it (legal basis under GDPR)
Legitimate bases: [consent, contract, legal obligation, legitimate interest]
Purpose per data: [newsletter → consent; order fulfillment → contract]
SECTION 4 — How you use the data
Internal uses: [send emails, process orders, improve site performance]
Marketing: [whether you send promotional emails, retargeting ads]
SECTION 5 — Who you share it with
Service providers: [hosting company, payment processor, email platform]
Legal disclosure: [law enforcement if required by court order]
Not sold: [explicitly state if you do not sell personal data]
SECTION 6 — How long you retain data
Active accounts: [as long as account is active]
Inactive: [deleted after X months of inactivity]
Legal holds: [financial records kept 7 years per IRS requirements]
SECTION 7 — User rights
GDPR rights: [access, rectification, erasure, portability, objection]
CCPA rights: [know, delete, opt-out of sale, non-discrimination]
How to exercise: [email address or form link for privacy requests]
SECTION 8 — Contact information
Privacy contact: [name or role + email address]
Response time: [30 days is the GDPR maximum for responding to requests]
Last updated: [date — must be updated whenever practices change]
Worked example: a food blog with email subscribers
HomebrewDaily.com is a homebrewing blog with 4,700 monthly visitors. It collects email addresses through a newsletter signup form, uses Google Analytics for traffic data, and runs Google AdSense ads. It does not sell products or process payments.
For this site, Section 1 would read:
"We collect the following personal data:
- Email addresses (submitted voluntarily via newsletter signup form)
- IP addresses (collected automatically by Google Analytics)
- Browser type, device type, and page visit data (Google Analytics)
- Cookie identifiers (Google Analytics and Google AdSense)"
The legal basis under GDPR for email addresses is consent — the user opted in. The legal basis for analytics data is legitimate interest — standard analytics use that a reasonable person would expect from any website.
The result: a privacy policy built on this structure accurately describes HomebrewDaily.com's actual data practices, satisfies GDPR Article 13 disclosure requirements, and meets Google AdSense's policy requirements for published privacy policies.
How to Write a Privacy Policy for Your Website Step by Step
-
Audit what data your website actually collects before writing a single word. Log into every tool connected to your site: Google Analytics, your email platform (Mailchimp, ConvertKit, etc.), your payment processor (Stripe, PayPal), your hosting control panel, and any contact form plugin. List every category of data each tool collects. A privacy policy that does not match your actual data practices is worse than no policy — it creates legal liability for misrepresentation.
-
Identify which privacy laws apply to your site. GDPR applies if any of your visitors are located in the European Union — regardless of where your site is hosted or where you live. CCPA applies if you have California users and meet certain thresholds. COPPA applies if your site is directed at children under 13 or you knowingly collect data from them. Most small blogs and business sites need to address GDPR and COPPA at minimum.
-
Fill in each of the eight sections based on your audit. Be specific. "We use your email address to send you our weekly newsletter and occasional product announcements" is better than "We may use your information to communicate with you." Vague language does not protect you legally — specificity does.
-
Use the Privacy Policy Generator to assemble and format the document. Enter your site name, the data you collect, the tools you use, and your contact email. The generator formats the policy correctly, includes the required legal language for GDPR and CCPA, and produces a ready-to-publish document. This takes under five minutes versus two to four hours of drafting from scratch.
-
Publish the policy at a permanent URL on your site. The standard URL is
yoursite.com/privacy-policy. Link to it from your site footer — on every page — and from any form that collects personal data (newsletter signup, contact form, checkout page). GDPR requires the policy to be "easily accessible" and "clearly visible" at the point of data collection. -
Set a calendar reminder to review and update the policy annually. A privacy policy is not a set-it-and-forget-it document. Every time you add a new tool (a new email platform, a new analytics service, a chatbot), you must update the policy to disclose it. The policy must always reflect current practices — a policy that describes tools you no longer use or omits tools you added last year creates legal risk.
Pro tip: Add a "Last Updated" date at the top of your privacy policy, not the bottom. GDPR requires users to be able to see when the policy was last modified, and placing it prominently signals transparency. Update this date every time you make any change, even minor wording adjustments.
Is a Privacy Policy Required by Law for a Website?
A privacy policy is required by law for your website in most practical situations — not as a general mandate, but through several specific laws that together cover nearly every website that collects any data.
GDPR requires a privacy policy for any website visited by EU residents that collects personal data — which includes IP addresses. Since IP addresses are personal data under GDPR, virtually every website with any EU traffic needs a privacy policy. The maximum GDPR fine is €20 million or 4% of global annual turnover, whichever is higher — though regulators focus enforcement on large companies, not individual bloggers.
CCPA requires a privacy policy for businesses that meet any one of three thresholds: annual gross revenue over $25 million, buying or selling personal data of 100,000 or more California consumers per year, or deriving more than 50% of annual revenue from selling personal data. Most small businesses do not meet these thresholds — but CCPA still requires any covered business to have a compliant policy before January 1 of the year they become subject to it.
Beyond legal requirements, platform policies make a privacy policy a practical necessity:
- Google AdSense requires a privacy policy disclosing the use of cookies and data collection
- Google Play requires a privacy policy for all apps that collect personal data
- Apple App Store requires a privacy policy for all apps
- Mailchimp and most email platforms require a privacy policy link before allowing list imports
The short answer: if your site collects email addresses, uses Google Analytics, or runs ads, you need a privacy policy.
What Should a Privacy Policy Include for GDPR Compliance?
A GDPR-compliant privacy policy must include all information required by GDPR Articles 13 and 14 — the transparency obligations that apply when you collect data directly from users (Article 13) or obtain it from third parties (Article 14).
The required disclosures under GDPR Article 13:
| Required element | What to disclose | |---|---| | Controller identity | Your name or company name and contact details | | DPO contact | Data Protection Officer contact (if you have one) | | Purposes and legal basis | Why you process data and which legal basis applies | | Legitimate interests | What interests justify processing without consent | | Recipients | Who receives the data (third-party tools, processors) | | International transfers | If data leaves the EU and how it is protected | | Retention period | How long you keep each category of data | | User rights | All eight GDPR rights listed explicitly | | Right to withdraw consent | How to opt out if consent is the legal basis | | Right to complain | That users can complain to a supervisory authority | | Automated decision-making | Whether you use profiling or automated decisions |
In practice, a small website using Google Analytics and an email list needs to disclose the analytics cookies, the email subscriber data, the use of Google's and the email platform's servers (as data processors), and the user's right to request deletion of their data. The privacy policy generator includes all of these disclosures when you select the tools you use.
One element most templates omit: the right to lodge a complaint with a supervisory authority. GDPR requires you to tell users they can contact their national data protection authority if they believe their data has been mishandled. This is a mandatory disclosure that many free templates skip.
What Is the Difference Between a Privacy Policy and Terms of Service?
A privacy policy and terms of service are both legal documents for websites, but they serve completely different purposes and protect different parties.
A privacy policy is a disclosure document that informs users about your data practices. It is primarily written for users and required by law. It answers: what data do you collect, how do you use it, what are users' rights. It protects users.
Terms of service (also called Terms and Conditions or Terms of Use) is a contract between you and your users that governs how they may use your site or product. It is primarily written to protect you as the site owner. It answers: who can use the site, what they cannot do, what happens in disputes, what your liability limits are.
A comparison:
| Document | Who it protects | Required by law | Governs | |---|---|---|---| | Privacy policy | Users | Yes (GDPR, CCPA, etc.) | Data collection and use | | Terms of service | Site owner | No (but strongly advisable) | User conduct and liability | | Cookie policy | Users | Yes (EU Cookie Law) | Cookie usage and consent | | NDA | Both parties | No | Confidential information |
Both documents should be on your site. They are not interchangeable — a terms of service does not satisfy the legal requirement for a privacy policy, and vice versa. Use the Terms of Service Generator alongside the privacy policy generator to create both documents together.
Common Mistakes to Avoid When Writing a Privacy Policy
-
Copying another site's privacy policy verbatim. Every privacy policy is specific to that site's actual data practices. Copying one from a competitor or a large company means you are disclosing their data practices, not yours — including tools you do not use and omitting tools you do. This creates a misrepresentation that is legally worse than having no policy. Write (or generate) a policy based on your own data audit.
-
Writing it once and never updating it. A privacy policy must match current practices. If you add Google Tag Manager, a live chat widget, or a new CRM platform after publishing your policy, you must update the policy to disclose these additions. GDPR requires the policy to reflect current processing activities at all times. The "Last Updated" date is not cosmetic — regulators use it to assess whether practices have outpaced disclosures.
-
Burying the policy where users cannot find it. A privacy policy that exists but is not linked from your site's footer, contact form, or newsletter signup does not satisfy the "easily accessible" requirement under GDPR. Link to it everywhere data is collected. Place the link in your footer so it appears on every page.
-
Claiming you "do not collect data" when you use Google Analytics. Google Analytics collects IP addresses, device identifiers, and behavioral data — all of which are personal data under GDPR. A policy that says "we do not collect personal information" while running Analytics is factually incorrect and legally indefensible. Disclose Analytics, Ads, and any embedded third-party content (YouTube videos, social share buttons) that may collect data independently.
-
Not including a data retention period. Many privacy policy templates omit how long you keep data. GDPR explicitly requires disclosure of the retention period or the criteria used to determine it. "We retain email addresses until you unsubscribe" and "We retain analytics data for 26 months per Google Analytics' default retention setting" are both specific, accurate, and compliant. "We keep data as long as necessary" is not sufficient.
Frequently Asked Questions
Do I need a privacy policy if my website is free and does not sell anything? Yes. If your site uses Google Analytics, embeds YouTube videos, has a contact form, or uses any third-party service that collects user data, you need a privacy policy. The legal requirement is triggered by data collection, not by whether money changes hands. A free blog with Google Analytics and an email signup form has the same GDPR obligations as a paid e-commerce site.
What if I already have a privacy policy but it is several years old? Update it. A policy written before GDPR came into force in May 2018 almost certainly does not include the required GDPR disclosures — legal basis, user rights, data retention periods, and the right to lodge a complaint with a supervisory authority. A policy from 2019 may not include CCPA disclosures, which took effect January 2020. Review your policy annually and regenerate or revise it whenever privacy laws change or your data practices change.
What is the difference between a privacy policy and a cookie policy? A privacy policy covers all data collection — including but not limited to cookies. A cookie policy (or cookie notice) specifically explains which cookies your site uses, what they do, and how users can manage or reject them. The EU Cookie Law and GDPR require explicit consent for non-essential cookies (analytics, advertising) and a cookie notice at first visit. Some sites combine cookie disclosures into the main privacy policy; others publish a separate cookie policy. Either approach is compliant as long as the information is there and easy to find.
How long does a privacy policy need to be? There is no minimum or maximum length requirement. A simple blog with one email list and Google Analytics needs roughly 600–900 words to cover all required disclosures. A SaaS product with multiple data categories, third-party integrations, and international data transfers may need 2,000–3,000 words. The requirement is completeness, not length. A two-paragraph policy that omits required disclosures is non-compliant. A 5,000-word policy that covers everything is compliant. Aim for complete and clear, not long.
When should I update my privacy policy vs. creating a new one? Update your existing policy whenever you add or remove a data collection tool, change how you use data, add users from a new jurisdiction (like launching a product in the EU), or whenever a relevant privacy law changes. Create a new policy from scratch when the existing one is so outdated or inaccurate that editing it would require rewriting most of it anyway — which is common for sites that have not updated their policy since before GDPR. The privacy policy generator makes regenerating a complete, current policy faster than editing an outdated one.
Use the Free Privacy Policy Generator
The Free Privacy Policy Generator at RoughTools builds a customized, compliant privacy policy for your website in under five minutes. Answer questions about your site's data collection, the tools you use, and your contact details — and the generator produces a complete policy covering GDPR, CCPA, and Google AdSense requirements. Download it as a PDF or copy the HTML to paste directly into your site. No account required, no watermarks, completely free.
Free Privacy Policy Generator →
You might also need:
- Terms of Service Generator — create a terms of service document to pair with your privacy policy
- NDA Generator — generate a non-disclosure agreement for client or vendor relationships
- Cookie Consent Template — create a GDPR-compliant cookie notice for your site's first-visit banner
- Disclaimer Generator — add a legal disclaimer to blog posts, financial content, or affiliate marketing pages