You need a Privacy Policy to comply with several U.S. privacy laws. New transparency requirements across several U.S. states require businesses to explain how they collect, use, and share personal information.

This article will explain how to create a Privacy Policy that complies with six important U.S. state privacy laws, list what you need to include, and demonstrate how to format and display your Privacy Policy.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



U.S. Privacy Policy: What Does the Law Require?

In this article, we'll be looking at the following U.S. state laws, each of which requires a Privacy Policy:

All of these laws apply differently. If you're unsure whether a law applies to you, click the relevant link above to read our full article about it.

Other sector-specific laws also require some form of Privacy Policy, such as:

This article won't address these laws. If you want more information, click one of the links above.

How to Create a U.S. Privacy Policy

How to Create a U.S. Privacy Policy

Under these U.S. state laws, your Privacy Policy must be clear, meaningful, and accessible.

To create a Privacy Policy that complies with all six of the laws explored above, you'll probably want to break the information up.

One way to do this is to divide the Privacy Policy into "California" and "Colorado, Connecticut, Utah, and Virginia." Make sure that the Privacy Policy is easy to navigate. Or you can create multiple Privacy Policies covering different states.

Note that each law requires other forms of notice in addition to a Privacy Policy. We're focusing only on the mandatory minimum information you must include in your Privacy Policy.

Now let's look at what each state law requires.

California Privacy Policy: (CCPA/CPRA)

Here's the information you'll need to include in your Privacy Policy for California residents if your business is covered by the CCPA (CPRA).

The CPRA amends the California Consumer Privacy Act (CCPA), which took effect in 2018. When people refer to the CCPA, they normally mean the CCPA as amended by the CPRA. We'll stick with "CCPA (CPRA)" to make the distinction clear.

We'll also be drawing on the CPRA Proposed Regulations, which include Privacy Policy rules. At the time of writing, these regulations have been finalized but are not yet in force. They are unlikely to change substantially before they pass, which will likely be in April 2023.

Categories of Personal Information and Sources of Personal Information

To comply with the CCPA (CPRA), your Privacy Policy must disclose comprehensive information about how and why your business collects personal information.

Your Privacy Policy should detail the categories of personal information you collected in the previous 12-month period. You must group the types of personal information into the categories listed at Section 1798.140 (v) (1) and 1798.140 (ae).

For more information, read What is Personal Information Under the CCPA/CPRA? and How to Comply With the CPRA's "Limit the Use of My Sensitive Personal Information" Requirement.

The CCPA (CPRA) also requires that you list the categories of sources from which you collect personal information.

Some personal information might come from the consumer directly. You might also receive personal information from third parties. "Categories" of sources might include, for example, "marketing providers."

You can present this information in your Privacy Policy together, so consumers understand which categories of personal information come from which source.

Here's how MarchingOrder does this:

MarchingOrder CCPA Privacy Notice: Information We Collect from our Website

Business or Commercial Purposes for Collection

The CCPA (CPRA) requires you to identify the business or commercial purpose for which you collect personal data. The draft CPRA Regulations add that you must explain this in "a manner that provides consumers a meaningful understanding of why the information is collected."

Here's how Snap explains its purposes for collecting category "C" information:

Snap US State Privacy Notice: Characteristics of protected classifications under California or federal law clause

Information About Selling or Sharing

The CCPA (CPRA) requires that you notify consumers of the categories of personal information that you have sold or shared with third parties over the preceding 12-month period. If you haven't sold or shared any information with third parties in this period, you must disclose this.

Note that the terms "share," "sell," and "third party" all have specific definitions.

For more information, check out our articles CCPA: What Constitutes a "Sale" of Personal Information? and CCPA: What Constitutes "Sharing for Business Purposes."

Alongside each category of personal information you have sold or shared with a third party, you must identify the category of the third party to which the personal information was shared or sold.

You must also provide the business or commercial purpose for selling or sharing the personal information.

Here's how U.S. News does this:

US News California Privacy Notice: Personal information chart

This table shows which categories of personal information U.S. News has collected, alongside information about how the company has shared that information. However, the presentation could be more precise. It's arguably unclear which category corresponds with which purpose.

You must also disclose whether you have "actual knowledge" of selling or sharing personal information about a consumer under 16 in the preceding 12-month period.

Here's how CBRE does this:

CBRE California Privacy Policy: Consumers Under the Age of 16 clause

Information About Disclosure for Business Purposes

As well as information about "selling or sharing" personal information, your Privacy Policy must disclose the categories of personal information you have "disclosed for a business purpose" in the preceding 12-month period. If this does not apply to your business, you must disclose this exemption.

See our CCPA: What Constitutes "Sharing for Business Purposes?" article for more information about what this means.

The rules here are the same as above. With reference to the previous 12 months, you must disclose:

  • The categories of personal information you have disclosed for business purposes
  • For each category of personal information, the categories of third parties to whom you disclosed the personal information, and
  • Your business or commercial purposes for disclosing the personal information

Here's how Videoamp explains the categories of third parties to which it has disclosed personal information for a business purpose:

Videoamp CA Privacy Rights Under the CCPA: Disclosures for a business Purpose clause

Sensitive Personal Information

The draft CPRA Regulations require that your Privacy Policy explains whether you use or disclose sensitive personal information for a non-exempt purpose.

Here's how Clarivate does this:

Clarivate CA Privacy Policy: Sharing your sensitive personal information clause

Consumer Rights

Under the CCPA (CPRA), your Privacy Policy must inform consumers about their rights, specifically:

  • The "right to know" what personal information you collect about a consumer, including

    • The categories of personal information
    • The categories of sources of the personal information
    • Your business or commercial purpose for collecting, selling, or sharing personal information
    • The categories of third parties to whom you disclose personal information
    • The specific pieces of personal information you have collected about the consumer
  • The "right to delete" personal information, subject to certain exceptions
  • The "right to correct" inaccurate personal information
  • If you sell or share personal information, the "right to opt-out"
  • If you use or disclose sensitive personal information (unless covered by an exemption), the "right to limit" the use or disclosure of sensitive personal information
  • The "right to non-discrimination" and "right to non-retaliation"

Here's part of Walt Disney Company's Privacy Policy explaining the rights to access, delete, and opt-out:

Walt Disney California Privacy Rights: Your Rights - Access, delete and opt out of sale clause

You must also provide information about how consumers can exercise their rights, including:

  • The methods you provide for submitting a request
  • Instructions for submitting a request, including any links to an online request form or portal for making such a request
  • If you sell or share personal information, a copy of your "Notice of Right to Opt-out of Selling or Sharing" (or a link to it)
  • If you use or disclose sensitive personal information for non-exempt purpose, the contents of your "Notice of Right to Limit" (or a link to it)
  • A description of how you verify a consumer's identity, including any information the consumer must provide
  • An explanation of how you treat opt-out preference signals and how the consumer can use an opt-out preference signal
  • If you process opt-out preference signals in a frictionless manner, information on how consumers can implement opt-out preference signals to ensure you process them frictionlessly
  • Instructions on how an authorized agent can make a request under the CCPA on a consumer's behalf
  • If you have "actual knowledge" that you sell the personal information of consumers under 16, a description of the "right to opt in," both for consumers under 13 and consumers under 16
  • Contact information if consumers want to learn more about your privacy practices

Here's how Tunnl provides much of the information above:

Tunnl California Privacy Rights: How CA residents can submit requests

Other Requirements

Your Privacy Policy should include the date that the policy was last updated.

Larger businesses that buy, sell or share personal information about more than 4 million consumers must report some additional metrics. You can read about these requirements here.

California Privacy Policy: CalOPPA

California Privacy Policy: CalOPPA

CalOPPA applies more broadly than the CPRA, but is much simpler to comply with. The law covers any website or app that collects personal information about people in California. This covers websites and apps using cookies for analytics or marketing.

Here are CalOPPA's Privacy Policy requirements:

California Legislative Information: CalOPPA - Privacy Policy Requirements - Section 22575 b

Let's break that down.

CalOPPA requires you to list:

  • The categories of personal information your website collects
  • The categories of third parties with whom you may share personal information

Note that CalOPPA defines "personal information" more narrowly than the CCPA (CPRA). Here's an article about the differences between the two laws if you want to learn more.

Here's how NeuBase discloses its sharing of personal information:

NeuBase Privacy Policy: Will Your Information Be Shared With Anyone clause - Vendors, consultants and other third party service providers section

You must identify your Privacy Policy's effective date and explain how you will notify people about any changes to the policy.

Here's how Let Kids Learn does this:

Let Kids Learn Privacy Policy: Changes to this Privacy Policy clause

You must also disclose:

Here's how G2, Inc. does this:

G2 Inc Privacy Policy: Do Not Track DNT and behavioral tracking sections

California isn't the only state with these types of requirements. Next we'll look at additional U.S. states and the laws they enforce.

Privacy Policy for Other U.S. States

Privacy Policy for Other U.S. States

Now, let's look at the four other states that require a Privacy Policy (or soon will): Virginia, Colorado, Connecticut, and Utah.

Here are the Privacy Policy requirements as they appear in Virginia's VCDPA:

Virginia Legislative Information System: VCDPA Privacy Policy requirements

It states:

C. Controllers shall provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes:
1. The categories of personal data processed by the controller;
2. The purpose for processing personal data;
3. How consumers may exercise their consumer rights pursuant to section 59.1-573, including how a consumer may appeal a controller's decision with regard to the consumer's request;
4. The categories of personal data that the controller shares with third parties, if any; and
5. The categories of third parties, if any, with whom the controller shares personal data.

Here's how the Privacy Policy requirements appear in Colorado's CPA:

Colorado gov: CCPA text - Duties of controllers: Duty of transparency - Privacy Notice requirement: Section 6-1-1308

Here's the equivalent part of Connecticut's CTDPA:

Connecticut Gov: CTDPA: Privacy Notice requirement section

And finally, here's the relevant section of Utah's CPA:

Utah Gov: CPA: Privacy Notice requirement: Section 13-61-302

The requirements in these four states are very similar. Each requires you to list:

  • The categories of personal data you process ("process" means collect, share, or use practically in any way),
  • Your purposes for processing each category of personal data
  • Information about consumer rights,
  • The categories of personal data you share with third parties (if any), and
  • The categories of third parties with whom you share personal data (if any)

Connecticut's CTDPA also requires that your Privacy Policy provides an email address or "other online mechanism" (e.g. a contact form).

Let's look at some examples of how businesses are meeting these requirements.

Data Processing, Purposes, and Sharing

Each of these four state laws requires you to explain what personal data you process, your purposes for processing it, and how you share it.

Here's how Kroll lists the categories of personal data it processes:

Kroll Privacy Notice: Categories of Personal Data We Collect clause

Note that unlike the CCPA (CPRA), none of these other state laws provides a predetermined list of categories of data.

You must provide your purposes for processing each category of personal data.

Here's how Vox Media explains its purposes for processing pixel tags:

Vox Media Privacy Notice: Disclosures for Virginia Residents - Pixel Tags clause

You might choose to present this information together.

Here's how Kaplan explains the third parties with whom it may share personal data, alongside information about the categories of personal data it processes and its purposes for processing:

Kaplan Privacy Notice: Special Notice for Virginia Residents - Professional or Employment Information clause - Categories of Third Parties with Which We Share Personal Data section

Consumer Rights

Each of these four state laws requires that you disclose consumers' rights and explain how to exercise those rights. Note that there are some differences between the rights offered under each of these four state laws.

Here's how Forbes lists the consumer rights under Virginia's VCDPA:

Forbes Privacy Statement: Virginia Privacy Rights clause

Here's how Brown & Brown Insurance explains how consumers can exercise their rights. Note that the company also explains some of the rules and expectations regarding the process:

Brown and Brown Insurance: Virginia Privacy Notice - How to Exercise the Above Rights clause

Each law except Utah's requires you to explain how consumers can appeal against a decision regarding their rights.

Here's how Chicory does this:

Chicory Privacy Policy: Virginia Privacy Rights section - Your Right to Appeal clause

An often underlooked part of Privacy Policy compliance in the U.S. and elsewhere is where you place/display your Privacy Policy. The next chapter will cover this important topic.

Displaying Your U.S. Privacy Policy

Displaying Your U.S. Privacy Policy

Once you've created your U.S Privacy Policy, you'll need to provide a link to the policy on your website or app.

The CCPA (CPRA) provides rules on how to display a link to your Privacy Policy on your website. The other state laws above do not provide such rules, but rulemaking processes in each state may provide them in future.

The link to your Privacy Policy must contain the word "privacy" and appear:

  • On your website homepage
  • On the "download or landing page" of your mobile app (if you have one)
  • In your mobile app's "settings" menu

Most websites provide a Privacy Policy link at the foot of their homepage.

Here's how Guardian Industries does this:

Guardian Industries website footer with Privacy Policy link highlighted

If you're separating states into separate Privacy Policies, you could use separate links. But you don't have to.

TaxAct provides a full Privacy Policy, plus a supplemental Privacy Notice for U.S. states. Here's how the company links to these policies on its homepage:

TaxAct website footer with Privacy Policy and State Privacy Rights links highlighted

And here's an example of how to link to your Privacy Policy via your app's "settings" menu, from the Android app Boost for Reddit:

Boost Reddit app menu with Privacy Policy link highlighted

In addition to these mandatory requirements, you can also link to your Privacy Policy wherever you collect personal information directly from consumers.

Here's how Chevening links to its Privacy Policy when collecting email addresses for a newsletter:

Chevening email subscribe form with Privacy Policy link highlighted

If you allow users to create an account with your company, you should also link to your Privacy Policy during the signup process.

Here's how Scientific American does this:

Scientific American Create Account form with Privacy Policy link highlighted

You should also provide a link to your Privacy Policy when customers are making a purchase from your site.

Here's how Amazon does this:

Amazon Checkout Page with Privacy Notice highlighted

Summary

Creating a Privacy Policy that complies with U.S. laws requires comprehensive knowledge of the personal information your business collects, uses, and shares about consumers.

Maintaining a Privacy Policy is not only a legal requirement. A well-written and legally compliant Privacy Policy also helps your business appear professional and transparent.

Ensure you comply with all applicable U.S. privacy laws when creating your Privacy Policy. Then, display it wherever you collect personal information.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy