Privacy Policies for Online Businesses: What the Law Requires and What Platforms Demand

No single federal statute requires every U.S. website to have a privacy policy. But the combined effect of state privacy laws, FTC enforcement authority, and platform requirements means that every online business collecting personal information from users needs one, and the policy must accurately describe the business's data practices. A privacy policy that's inaccurate, incomplete, or absent exposes the business to regulatory enforcement, platform suspension, and class action liability.

The FTC Enforcement Framework

No federal statute requires every business to publish a privacy policy. But if a business publishes one, the FTC treats it as a binding representation under Section 5 of the FTC Act (15 U.S.C. § 45), which prohibits unfair or deceptive acts or practices in commerce. A privacy policy that states "we don't sell your data" when the business shares user information with advertising partners that the CCPA defines as a "sale" is a deceptive representation. A privacy policy that describes data retention practices the business doesn't follow is a deceptive representation. And a privacy policy that promises security measures the business hasn't implemented is both deceptive and potentially unfair.

FTC enforcement actions have targeted businesses for privacy policies that contradicted their actual data practices, privacy policies that were materially incomplete (omitting categories of data collected or third parties receiving data), and privacy policies that described protections the business failed to implement. FTC consent orders typically require the business to correct the policy, implement a comprehensive privacy program, submit to 20 years of external audits, and pay penalties or consumer redress.

For every online business, the foundational rule is simple: the privacy policy must accurately describe what the business does with user data. If the business changes its data practices, the policy must be updated before the change takes effect.

State Privacy Laws

State privacy laws impose specific disclosure requirements that the privacy policy must satisfy. The requirements vary by state, and a business that collects personal information from residents of multiple states must comply with each applicable statute.

CalOPPA (California Online Privacy Protection Act, Cal. Bus. & Prof. Code §§ 22575-22579) is the broadest state disclosure mandate. It applies to any website or online service that collects personally identifiable information from California residents, regardless of where the business is located or how much revenue it generates. CalOPPA requires the privacy policy to identify the categories of personal information collected, describe how the business responds to "Do Not Track" browser signals, disclose whether third parties may collect personal information about users' online activities across different websites, and be conspicuously posted (accessible via a link using the word "PRIVACY" in capital letters or an equivalent icon on the homepage or first significant page). Penalties run up to $2,500 per violation after a 30-day cure period, and each visit to a non-compliant website may constitute a separate violation.

CCPA/CPRA (California Consumer Privacy Act, as amended by the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100 et seq.) applies to for-profit businesses doing business in California that meet any of three thresholds: annual gross revenue exceeding $26.625 million (adjusted effective January 1, 2025), buying, selling, or sharing the personal information of 100,000 or more California residents, or deriving 50 percent or more of annual revenue from selling or sharing personal information. CCPA requires the privacy policy to disclose categories of personal information collected in the preceding 12 months (organized by the statute's enumerated categories, including identifiers, commercial information, Internet activity, geolocation, biometric data, professional information, education information, inferences, and sensitive personal information), the specific business or commercial purpose for collecting each category, categories of third parties to whom the business discloses personal information, a description of consumer rights (right to know, right to delete, right to correct, right to opt out of sale or sharing, right to limit use of sensitive personal information), and instructions for how consumers can exercise those rights.

CCPA also requires a "Do Not Sell or Share My Personal Information" link on the business's homepage and, if the business collects sensitive personal information, a "Limit the Use of My Sensitive Personal Information" link. The business must honor Global Privacy Control (GPC) signals sent by browsers and treat them as valid opt-out requests. The policy must be reviewed and updated at least once every 12 months. Penalties run up to $2,500 per unintentional violation and $7,500 per intentional violation, enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA).

Beyond California, at least 19 states had comprehensive consumer privacy laws in effect or enacted as of early 2026, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Indiana, Kentucky, Rhode Island, and others. Each imposes its own privacy notice requirements, and while the disclosure categories are similar across statutes, the specific thresholds, consumer rights, and enforcement mechanisms differ.

Platform Requirements

Even if no state privacy law applies to your business (a threshold that's increasingly difficult to avoid), the platforms your business relies on require a privacy policy as a condition of use.

Apple's App Store requires every app that collects, transmits, or shares user data to post a privacy policy accessible from within the app and on the app's App Store listing page. Apps that don't comply face rejection or removal from the App Store.

Google Play requires a privacy policy for every app that handles personal or sensitive user data and for every app that targets children. Google requires the policy to be accessible within the app and on the app's Google Play listing page.

Shopify, Stripe, Square, and other payment processors require merchants to maintain privacy policies as a condition of their merchant agreements. Non-compliance can result in account suspension or termination of payment processing services.

Meta (Facebook/Instagram), Google Ads, and other advertising platforms require advertisers to maintain privacy policies that comply with the platform's data use policies. Running advertising campaigns without a compliant privacy policy can result in ad account suspension.

Platform requirements create a practical compliance floor that applies to every online business, including businesses that fall below the revenue or data-volume thresholds of state privacy statutes.

What the Policy Must Cover

Regardless of which specific statutes apply, your privacy policy should address the following categories.

What personal information you collect, organized by type (identifiers, contact information, device data, browsing activity, purchase history, geolocation, biometric data, and any other categories applicable to your business).

How you collect personal information, including direct collection (information the user provides), automatic collection (cookies, pixels, analytics tools, device identifiers), and collection from third parties (data brokers, advertising networks, public records).

Why you collect personal information, described with specificity (not "to improve our services" but "to process orders, deliver products, respond to customer inquiries, send marketing communications with the user's consent, personalize content, conduct analytics, and comply with legal obligations").

Who you share personal information with, organized by category of recipient (service providers who process data on your behalf, advertising partners, analytics providers, payment processors, and any other third parties).

How long you retain personal information and what criteria determine the retention period.

What rights users have (right to access, delete, correct, opt out of sale or sharing, port data) and how they can exercise those rights (email address, web form, toll-free number).

How you secure personal information (encryption, access controls, security assessments, without disclosing specific technical vulnerabilities).

How you handle children's data (COPPA compliance for users under 13, if applicable).

How and when the policy will be updated, and how users will be notified of material changes.

Cookie and Tracking Disclosures

If the business uses cookies, tracking pixels, analytics tools, advertising identifiers, or other tracking technologies, the privacy policy should disclose what technologies are used, what data they collect, what purposes they serve (analytics, advertising, personalization, session management), and how users can manage or disable them (browser settings, cookie preference tools, opt-out links for specific advertising networks).

While the United States doesn't have a comprehensive cookie consent law equivalent to the EU's ePrivacy Directive, several state privacy laws (including the CCPA's "sale" and "sharing" definitions) treat cookie-based data collection and sharing with advertising partners as activity requiring opt-out rights. If your website drops third-party advertising cookies, the data shared with those advertising partners may constitute a "sale" or "sharing" under the CCPA, triggering the opt-out link requirement.

Practical Recommendations

Write the privacy policy to describe your business's data practices, not someone else's. A policy generated from a template or copied from another company describes operations, data flows, and third-party relationships that may not match yours. If the policy states you don't sell data but your advertising cookies share data with ad networks, the policy is inaccurate and the FTC treats inaccuracy as deception.

Review and update the policy at least annually (CCPA requires this), and update it whenever you add a new data collection mechanism (a new analytics platform, a new advertising pixel, a new third-party integration) or change how you process existing data.

Include the date the policy was last updated. Both CalOPPA and CCPA require this, and it provides evidence that the policy was current at any given time.

Post the policy where it can be found. CalOPPA requires the policy to be accessible via a conspicuous link on the homepage. CCPA requires the link to be in the footer of every page. Platform requirements impose similar accessibility standards. A privacy policy buried behind three clicks doesn't satisfy any of these requirements.

If your business meets the CCPA thresholds, include a "Do Not Sell or Share My Personal Information" link and a "Limit the Use of My Sensitive Personal Information" link on your homepage, and configure your website to detect and honor GPC signals.

Have your attorney review the policy against your actual data practices at least once a year. A privacy policy is a legal representation. If it doesn't match reality, the mismatch is the violation, regardless of which statute applies.

Need advice tied to your business issue?

Share the issue. Get direct attorney review. Receive a concrete recommendation.

Submit an Inquiry