Fines up to €20,000,000 or 4% of global turnover
A dark desk at night with a laptop showing an abstract legal document and a printed page with a fountain pen, lit by warm golden lamplight, representing writing a website privacy policy
GDPR Basics

Does Your Website Need a Privacy Policy? What Must Go in It

Usantis Jul 6, 2026 5 min read

Short answer

If your website collects any personal data from people in the EU, and a contact form, an analytics tag or a newsletter signup already counts, Articles 13 and 14 GDPR require a privacy policy that names who you are, what you collect, why, who receives it, how long you keep it and what rights visitors have. Non-EU companies must also name their Article 27 EU representative in it. Copying another site's policy describes their data flows, not yours, which creates its own liability. Information-duty violations sit in the GDPR's top penalty tier of up to 20 million euro or 4 percent of global turnover.

The short version

Almost every website needs one. Here is why.

There is a page on your website that almost nobody reads, until the one reader arrives who matters: a data protection authority, a privacy-savvy customer, or the lawyer of someone who just filed a complaint. That page is the privacy policy, and the question of whether you need one has a shorter answer than most legal questions: if your site collects any personal data from people in the EU, you do.

The bar for "collects personal data" is far lower than most site owners think. A contact form counts. A newsletter signup counts. An analytics script, an embedded YouTube video, a login, a comment box, even server logs storing IP addresses, all of it is personal data under the GDPR. A website that does none of those things is rare enough to be a curiosity.

Art. 13 & 14
the GDPR articles that force the disclosure
€20M / 4%
top penalty tier for information-duty violations
Every page
where the policy must be reachable from

Who is caught

The law follows your visitors, not your address

The GDPR does not care where your company is registered. Under Article 3(2), it reaches any business, anywhere in the world, that offers goods or services to people in the EU or monitors their behaviour. A US SaaS with European users, a Canadian shop that ships to Germany, an Australian app with French downloads: all inside scope, all owing the same disclosures as a company in Berlin.

There is no revenue threshold and no company-size exemption for the information duties. And the EU is not alone: California's CCPA, the UK GDPR and a growing list of state and national laws all require substantially the same document. In practice, one well-built privacy policy covers the lot, which is also why skipping it fixes nothing and writing it once fixes almost everything.

For non-EU companies there is a twist that most templates miss entirely: if the GDPR applies to you and you have no office in the EU, Article 27 requires you to appoint an EU representative, and your privacy policy is precisely where that representative must be named. A missing representative line is visible to any investigator in a single page view.

The contents

What a privacy policy must actually say

Hands reviewing a printed checklist with a gold pen on a dark navy desk, representing the required contents of a GDPR privacy policy
Articles 13 and 14 read like a checklist. Your policy either answers every item for your site, or it has a gap.

Articles 13 and 14 are unusually concrete for legal text. Translated out of legalese, your policy needs to answer these questions about your site, not about websites in general:

  • Who you are. Legal name, address and a working contact for privacy matters. For non-EU companies caught by the GDPR: the name and address of your EU representative, and of your data protection officer if you have one.
  • What you collect and why. Each category of data (contact details, payment data, usage data) tied to a purpose and a legal basis. "We may collect certain information for various purposes" is the sentence regulators quote in their findings.
  • Who receives it. Your processors and recipients in plain categories: hosting, analytics, email provider, payment processor. If data leaves the EU, say so and name the safeguard.
  • How long you keep it. Retention periods, or at least the criteria that decide them.
  • What visitors can do about it. The data subject rights: access, correction, deletion, objection, portability, the right to withdraw consent and the right to complain to a supervisory authority.
  • Where the data comes from, if you did not collect it from the person directly. That is the Article 14 half that scraped and purchased lists trip over.

None of this requires poetry. It requires accuracy, which is exactly what makes the next section the most important one.

One document is not the other two

Privacy policy, cookie policy, terms: three jobs, not one

Site owners routinely treat these as interchangeable legal wallpaper. They answer different questions, and only one of them is generally required by law.

Required by law

Privacy policy

Covers
How you handle personal data end to end
Named in
A link reachable from every page
Enforced by
Data protection authorities
Mandatory
Consent layer

Cookie policy

Covers
The specific cookies and trackers your site sets
Named in
Your consent banner and footer
Enforced by
ePrivacy rules and DPAs
Needed with tracking
Contract

Terms of service

Covers
The deal between you and your users
Named in
Signup and checkout flows
Enforced by
Contract law and courts
Optional but wise

The privacy policy is the load-bearing one. It is also the only one of the three where the law dictates the table of contents, which is why it is the document you should generate from your real setup rather than adapt from someone else's.

The copy trap

Why borrowing another site's policy backfires

The most common way privacy policies get written is also the worst one: find a competitor, copy, replace the company name, publish. It feels safe because the text looks legal. It is the opposite of safe, for one simple reason: a privacy policy is not boilerplate, it is a factual statement about your data flows.

The copied policy names tools you do not run and misses the ones you do. It promises retention periods you have never implemented. It cites a data protection officer you do not have, or omits the EU representative you are required to name. Every one of those mismatches is a small, provable inaccuracy sitting on your own domain, and regulators treat inaccurate privacy information as a violation in itself, separate from whatever the underlying data practice is. In the US, the FTC has built enforcement actions on exactly that gap between what a policy says and what a company does.

The fix is not to write like a lawyer. It is to describe your actual setup, plainly, and keep the document in sync when your setup changes.

The move

How to get a correct policy in under an hour

A person typing on a laptop showing a glowing step-by-step form in a dark office, representing generating a privacy policy from a guided questionnaire
The honest shortcut: answer questions about your real setup, and let the document assemble itself around your answers.
  1. Inventory what your site actually does. Forms, signups, analytics, embedded content, payments, logins. Ten minutes with your own website and your tag manager tells you what belongs in the policy.
  2. Generate the document from your answers. Our free privacy policy generator walks you through the questions and produces a GDPR-ready policy for a website or app. It runs entirely in your browser, we never see or store your answers, and it costs nothing, no email required.
  3. Add the two things only you know. Your real retention practice and your full list of processors. This is the ten percent that turns a good template into an accurate disclosure.
  4. Link it from every page and keep it current. Footer link, signup forms, checkout. When you add a tool or change providers, the policy changes with it. If you already have a policy, our privacy policy checker shows you in a minute which GDPR essentials it is missing, including the Article 27 line.

Need a privacy policy that matches your actual website?

Answer a few questions and get a GDPR-ready privacy policy in minutes. Runs in your browser, nothing is stored, no email required.

Generate it free

One honest caveat to end on: a generated policy documents your setup, it does not change it. If your site tracks people before consent or you are missing your EU representative, the policy will be accurate and your setup will still have gaps. That is the part where USANTIS earns its keep: we act as the Article 27 EU representative for non-EU companies, the exact line most self-written policies leave blank. Check whether you need one in about a minute with the free compliance checker, then write the policy that says so.

Frequently asked questions

Stay off the enforcement tracker.

See whether Article 27 applies to you in about a minute, then set up your EU representative.