What goes into a good business website? Whether you’re putting together a new one or maintaining an existing site, there are a hundred (if not more) decisions you’ll make in the process.
Addressing these issues can feel like trying to get to the end of an ever-growing punchlist. And with so many requirements pulling in different directions, it’s hard to know what’s a nice-to-have and what’s a must-have.
So if you’ve seen “add privacy notice” on your (metaphorical or not) list of website tasks, you might be wondering, “Is this something that I really need to do?”
The honest answer is (likely) yes. But privacy requirements can feel diffuse and hard to pin down, with obligations spread across federal rules, a patchwork of state laws, and client expectations that shift faster than most businesses can track.
That’s what we’re here for, though.
What is a privacy notice, exactly?
You’ll often see this page labeled “Privacy Policy” on other sites, but those are actually two different things.
A privacy policy is an internal document for your employees. A privacy notice is the public-facing version: an accurate description of the personal information your business collects and how you use, disclose, retain, protect, and destroy it. It tells people what consumer privacy rights they have and how to exercise them, and gives them a way to reach you with questions or concerns.
A privacy notice is not a contract, though. Someone doesn’t “agree to” your notice simply by using your site; it’s a one-directional statement to the public. And it’s not something you set once and forget. Your notice needs to evolve as your business practices change, and some privacy laws require at least an annual review.
Do I legally need a privacy notice?
The short answer is almost certainly yes. But the specifics depend on where you do business and what data you handle.
If you serve customers in the EU
If your business operates in or collects data from individuals located in the European Union (whether they’re citizens or not), you’re subject to the General Data Protection Regulation (GDPR). Under the GDPR, publishing a privacy notice is a legal obligation, and it has to be specific about what you collect, why you collect it, and how people can exercise their rights.
If you operate in the U.S.
Unlike the EU, the United States doesn’t have a single comprehensive federal consumer privacy law. Instead, privacy is addressed at the state and sectoral level, with a few federal regulatory exceptions.
As of July 2026, more than 20 states have privacy laws on the books, and most require businesses to publish accessible privacy notices that describe their data collection practices and explain the consumer privacy rights available to their residents.
Examples of these laws include:
- California’s CCPA, as amended by CPRA, requires businesses to publish a privacy notice that discloses the categories of personal information collected, the purposes for collection, whether data is sold or shared, and how consumers can exercise their privacy rights.
- Virginia, Colorado, Connecticut, Texas, Oregon, Minnesota, and Maryland have all enacted comprehensive privacy laws with similar notice requirements, including disclosures about data collection, processing purposes, third-party sharing, and consumer privacy rights.
- Oklahoma and Louisiana are among the most recent additions, both signed into law in 2026 with effective dates of January 1, 2027, and both require businesses to provide consumers with clear notice of their data practices.
Both Nevada and Washington state also have specific notice requirements for health-related data, mandating that businesses post separate, more detailed privacy notices for consumer health information. And this isn’t just applicable to healthcare systems or providers; if a business collects health-related data, they need a notice for this.
Even if no state laws don’t apply to you yet
The absence of a comprehensive federal privacy law doesn’t mean federal requirements don’t exist. Two things apply broadly, regardless of which state you or your customers are in.
Sectoral laws
Depending on your industry or the type of data you collect, a federal law may already require you to publish a privacy notice. For example:
- COPPA requires notice if you collect data from children under 13.
- HIPAA requires notice if you handle protected health information.
- The Gramm-Leach-Bliley Act requires financial institutions to provide customers with privacy notices explaining how their personal information is collected and shared.
If your business intersects with these areas, federal notice requirements may likely apply to your business.
The Federal Trade Commission
Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive acts or practices (often referred to as UDAP), and that applies to what you say in your privacy notice regardless of your size, industry, or volume of data handled.
If your notice says one thing and your practices do another, you’re potentially in violation. For example, if your privacy notice states “We will never sell or share your data with third parties,” but you share customer email addresses with an advertising partner, the gap between your promise and your actual practice can be treated as a deceptive practice under federal law
What needs to be in my privacy notice?
An effective privacy notice doesn’t start with the notice itself, but rather with a thorough understanding of your privacy and data collection practices. Without this, the notice is just words on a page.
This means conducting a data inventory. A data inventory tracks every category of personal information your business collects: where it comes from, how it’s used, who has access to it, how long you keep it, and where it goes when you’re done with it.
All that being said, the following categories of information are often included in a privacy notice:
- What personal information you collect and how. The categories of personal information you collect (names, email addresses, geolocation, browsing data, and similar) and the methods used to collect it (forms, cookies, logs, registrations, and so on).
- Why and how you use personal information. The purposes for which you process personal information, such as operations, analytics, marketing, or security, and how you actually use data for those purposes.
- Categories of personal information you disclose. What categories of personal information you share with third parties, including any sale or sharing for commercial or business purposes.
- Categories of recipients. The types of entities you share data with: service providers, business partners, government authorities, advertising networks, and others.
- Digital identifiers and cookies. What kinds of cookies and similar tracking technologies your site uses, what digital advertising or analytics you engage in, and how your site handles universal opt-out signals like Global Privacy Control (GPC).
- Consumer privacy rights. The privacy rights your customers have, including access, deletion, correction, portability, and opt-out of sale or sharing, along with clear instructions for how to exercise each one, whether that’s a webform, a toll-free number, an email address, or a preference center.
- How long you retain personal information. Either specific retention timeframes or the criteria you use to determine how long different categories of data are kept.
- How you safeguard personal information. A high-level description of your security and access controls, enough to give consumers confidence without disclosing specifics that create security risks.
- International transfers. If you store or process data outside the U.S., a disclosure of where and the mechanisms you use to ensure appropriate protections apply.
- Contact information and effective date. How people can reach you with privacy questions or concerns, when the notice became effective, and how you’ll communicate future changes.
Depending on which laws apply to your business, there may be additional required elements, such as disclosure of financial incentive programs, children’s data practices, or metrics on consumer privacy rights requests. When in doubt, review the applicable laws or consult an experienced privacy professional.
What makes a good privacy notice?
You can include everything from the must-have list and still have a privacy notice that isn’t up to snuff. Here’s what separates a compliant privacy notice from one that’s genuinely useful.
Complete a data inventory
As noted above, a data inventory is foundational for a privacy notice (it’s also required under GDPR). You can’t accurately describe your data practices if you don’t fully understand them. An inaccurate notice also creates exactly the kind of mismatch that UDAP enforcement targets.
As a bonus, completing a data inventory surfaces where data is vulnerable, which gives your security program a clearer picture of what needs protecting.
Keep it simple and make it findable
Your privacy notice shouldn’t be pages of legal jargon. Use plain, transparent language and break it into clear sections with descriptive headings.
One strategy that some companies use is a layered approach, incorporating a short summary of the key points at the top that links to more detailed sections below. That tl;dr version makes the notice approachable for most readers without sacrificing comprehensiveness.
The findability of your privacy notice matters as much as readability. That means making sure you include links to your privacy notice:
- From the footer of every page on your site
- Anywhere you collect personal information
(And while we’re talking about websites here, remember that you should also be presenting your notice before or at the time you collect personal information even if it’s in person or over the phone.)
Make consumer privacy rights easy to exercise
Your notice should explain not just that people have privacy rights, but exactly how they can use them. That means a working link to a webform or preference center, not buried boilerplate.
If your business is subject to laws requiring you to honor universal opt-out signals like Global Privacy Control, say so and make sure your systems actually honor it.
A privacy notice isn’t a one-time project
Your website won’t stay static over time. You’ll add and change photos or graphics, redesign the layout, and incorporate new functionalities. Your privacy notice should be similarly dynamic. Your business practices will change. Privacy laws will change. Your notice needs to keep pace with both.
We emphasize this because your privacy notice, while not a contract, is still a legal document you can be held accountable for. If what your notice says and what you actually do diverge, even gradually as business practices evolve, that’s a compliance risk.
Regularly reviewing your privacy notice can go a long way toward reducing those risks. At minimum, it should be done annually (and if you fall under CCPA’s jurisdiction, that annual review is a requirement), as well as anytime you make a substantive change to how you handle personal information, introduce a new service or product, or expand your operations into a new legal jurisdiction.
Let’s make your privacy notice something to click on
A privacy notice might have started as an item on your website punchlist, but it’s one of the most powerful ways to build trust with your customers. Consider this your permission to check it off, the right way. We can help you build everything from a simple privacy notice to a full privacy program, so it’s one less thing you have to wonder about.
Download our Privacy Notice Roadmap: Business Guide to get a clear picture of what your notice needs to include, or give us a call to set up your consultation today.
Privacy Notice Roadmap: Business Guide
Download our Privacy Notice Roadmap and take the guesswork out of creating clear, compliant, and consumer-friendly privacy notices.