If your website has visitors from the European Union - and if you are online, it does - GDPR applies to you regardless of where your business is located.
A GDPR privacy policy is not optional. It is a legal requirement. And it needs to contain specific disclosures that generic privacy policy templates typically miss.
Here is what GDPR actually requires in your privacy policy and what gets businesses fined.
Why GDPR Privacy Policy Compliance Matters
GDPR enforcement is accelerating. Fines since 2018 have exceeded 7.1 billion euros, with 1.2 billion euros issued in 2025 alone. These are not just against tech giants - small and medium businesses are increasingly targeted.
The penalties for non-compliance:
-
Up to 4% of global annual turnover or 20 million euros, whichever is higher, for serious violations
-
Up to 2% of global annual turnover or 10 million euros for lesser violations
A missing or non-compliant GDPR privacy policy is one of the most common violations cited in enforcement actions.
What Your GDPR Privacy Policy Must Include
1. Identity and Contact Details of the Data Controller
Your GDPR privacy policy must clearly state:
-
Your company name and legal entity type
-
Your physical address
-
Your contact email for privacy inquiries
-
If applicable, your Data Protection Officer's contact details
-
If you are outside the EU, your EU representative's contact details
This is not optional. "Contact us at info@company.com" without a company name or address is non-compliant.
2. What Data You Collect and Why (Lawful Basis)
GDPR requires you to disclose every type of personal data you collect AND the legal basis for collecting it. There are six lawful bases:
-
Consent: The user explicitly agreed (opt-in checkbox, cookie consent)
-
Contract: Processing is necessary to fulfill a contract (order processing)
-
Legal obligation: You are required by law (tax records, anti-money laundering)
-
Vital interests: To protect someone's life (emergency situations)
-
Public interest: Government functions (rarely applies to businesses)
-
Legitimate interest: Your business interest outweighs the individual's privacy rights (analytics, fraud prevention)
Most businesses rely on consent (marketing emails) and contract (order fulfillment). Your GDPR privacy policy must state which basis applies to each data processing activity.
3. Who You Share Data With
List every category of third party that receives personal data:
-
Payment processors (Stripe, PayPal)
-
Analytics providers (Google Analytics)
-
Email marketing platforms (Mailchimp, Klaviyo)
-
Advertising networks (Google Ads, Meta)
-
Cloud hosting providers (AWS, Google Cloud)
-
Customer support tools (Zendesk, Intercom)
You do not need to name every individual company (though it helps), but you must describe the categories and purposes of sharing.
4. International Data Transfers
If personal data leaves the EU/EEA, your GDPR compliant privacy policy must explain:
-
Where data is transferred to (e.g., "United States")
-
The legal mechanism enabling the transfer (Standard Contractual Clauses, adequacy decision)
-
Where users can find a copy of the transfer safeguards
Since the Privacy Shield invalidation, most US-based businesses rely on Standard Contractual Clauses. If you use US-based services (Stripe, Google, AWS), you are transferring EU data internationally.
5. Data Retention Periods
GDPR requires you to state how long you keep each type of data. Not "as long as necessary" - specific timeframes:
-
Customer account data: X months/years after account closure
-
Order history: X years (often aligned with tax record requirements)
-
Marketing consent records: until consent is withdrawn
-
Analytics data: X months
-
Cookie data: specify cookie lifetimes
Vague retention statements are a common compliance failure.
6. Individual Rights
Your GDPR privacy policy must inform users of their rights and how to exercise them:
-
Right of access: Request a copy of their data
-
Right to rectification: Correct inaccurate data
-
Right to erasure: Request deletion ("right to be forgotten")
-
Right to restrict processing: Limit how you use their data
-
Right to data portability: Receive their data in a portable format
-
Right to object: Object to processing based on legitimate interest
-
Right to withdraw consent: Withdraw previously given consent at any time
-
Right to lodge a complaint: File a complaint with their national data protection authority
For each right, explain how users can exercise it (email address, online form, account settings).
7. Cookie Disclosures
If your website sets cookies (and it almost certainly does), your GDPR privacy policy must:
-
List the cookies you set (or categories of cookies)
-
Explain what each cookie does
-
State whether they are first-party or third-party
-
Provide cookie lifetimes
-
Explain how users can manage cookie preferences
Additionally, you need a separate cookie consent mechanism (banner or dialog) that allows users to accept or reject non-essential cookies BEFORE they are set.
8. Automated Decision-Making
If you use automated processing that significantly affects users (credit scoring, automated content moderation, algorithmic pricing), you must:
-
Inform users that automated decision-making occurs
-
Explain the logic involved
-
Describe the significance and consequences
-
Explain how users can request human review
What Most GDPR Privacy Policies Get Wrong
Using a US Template for EU Compliance
A GDPR compliant privacy policy is structurally different from a US-style privacy policy. GDPR requires lawful basis, data subject rights, DPO information, and transfer mechanisms that US privacy law does not mandate. A template designed for CCPA compliance will not satisfy GDPR.
Bundling Consent
GDPR requires granular consent. "I agree to the privacy policy" as a single checkbox covering marketing, analytics, and third-party sharing is non-compliant. Each purpose needs its own consent mechanism.
No Cookie Consent Banner
Loading Google Analytics, Facebook Pixel, or advertising cookies before the user consents is a GDPR violation. The cookie consent banner must appear before non-essential cookies are set, and "Continue browsing = consent" is not valid under GDPR.
Copy-Pasting Another Site's Policy
Your GDPR privacy policy must reflect YOUR specific data practices, not a generic template. Regulators check whether policies match actual processing activities. A policy that mentions services you do not use (or omits services you do use) demonstrates non-compliance.
How to Get a GDPR Compliant Privacy Policy
Option 1: Lawyer ($500-$3,000)
A privacy attorney drafts a custom GDPR privacy policy for your specific business. Thorough but expensive.
Option 2: Subscription Service ($9-$15/month)
Services like Termly, Iubenda, and CookieYes generate privacy policies and manage cookie consent. Ongoing subscription cost ($108-$180/year).
Option 3: One-Time AI Generation ($29.99)
TermsCraft generates a GDPR compliant privacy policy through an interactive consultation. The system visits your website, identifies your data practices, and produces a policy covering GDPR, CCPA, PIPEDA, and other jurisdictions. One-time purchase of $29.99, no subscription.
Option 4: DIY (Free, Risky)
Write your own using templates and guides. Free but risky - missing a required disclosure can result in enforcement action. Only recommended if you have privacy law expertise.
Related Articles
You Might Also Like
-
Fight Your Traffic Ticket - Legal defense documents from the same team
-
Build a Research-Backed Pitch Deck - For startups that need legal AND fundraising docs
Generate your GDPR compliant privacy policy for $29.99 - one-time, covers GDPR + CCPA + PIPEDA.
Comments
Leave a Comment
No comments yet. Be the first to share your thoughts!