If you run a website in the United States — whether it's an e-commerce store, a blog, a SaaS app, or a service business — you've probably wondered whether you legally need a Privacy Policy. The short answer is: almost certainly yes.
In this guide, we'll explain exactly when a Privacy Policy is required under US law, which laws apply to your business, and what your policy must include.
What is a Privacy Policy?
A Privacy Policy is a legal document that tells your website visitors what personal data you collect about them, why you collect it, what you do with it, and what their rights are. It's the foundation of privacy compliance for any US business operating online.
Personal data includes any information that can identify an individual — names, email addresses, IP addresses, payment information, browsing behaviour, and more.
Which US laws require a Privacy Policy?
Unlike the European Union, the US doesn't have a single federal privacy law. Instead, privacy is regulated by a patchwork of federal sector-specific laws and individual state laws. The most important ones for website operators are:
California Consumer Privacy Act (CCPA) and CPRA
The CCPA, enhanced by the California Privacy Rights Act (CPRA), is the most comprehensive US state privacy law. It applies to any business that:
- Does business in California (including online), AND
- Has annual gross revenue over $25 million, OR
- Buys, sells, or shares the personal data of 100,000 or more consumers or households, OR
- Derives 50% or more of annual revenue from selling consumers' personal information
Other state privacy laws
Even if CCPA doesn't technically apply to you, the following state laws may — and they all require a Privacy Policy:
- Virginia VCDPA — applies to businesses processing data of 100,000+ Virginia residents annually
- Colorado CPA — similar thresholds to Virginia
- Texas TDPSA — applies to businesses processing data of Texas residents
- Connecticut CTDPA — 100,000 consumers threshold
- Montana, Oregon, Iowa, Indiana — have all passed privacy laws taking effect in 2024–2026
Federal laws that may apply
- COPPA — if your site is directed at children under 13, or if you knowingly collect data from children
- CAN-SPAM Act — if you send commercial emails
- HIPAA — if you handle protected health information
- GLBA — if you're a financial services business
When does virtually every US website need a Privacy Policy?
Even if none of the above laws technically apply to your business right now, you almost certainly need a Privacy Policy if your website:
- Has a contact form (collects names and emails)
- Uses Google Analytics (collects IP addresses and browsing data)
- Has an email newsletter sign-up
- Processes payments online
- Uses Facebook Pixel, LinkedIn Insight Tag, or any advertising tracker
- Allows users to create accounts
- Uses cookies beyond strictly necessary session cookies
✅ The practical reality: If your website is accessible to visitors from California — which any publicly accessible US website is — the CCPA's spirit applies. Most US businesses include a Privacy Policy regardless of whether they technically meet the legal thresholds.
What must a US Privacy Policy include?
A compliant US Privacy Policy should include:
- Your company name and contact details
- What personal data you collect and how you collect it
- Why you collect and use the data
- Whether you sell or share personal data with third parties
- California residents' rights (access, delete, correct, opt-out of sale)
- Other state residents' rights as applicable
- Children's privacy disclosures (COPPA) if relevant
- How long you retain data
- How to contact you with privacy requests
- Your data security practices
- How you handle Do Not Track signals
What are the consequences of not having one?
The consequences vary by law, but can include:
- CCPA/CPRA: Fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. The California Attorney General actively enforces these.
- FTC enforcement: The Federal Trade Commission can take action against businesses for deceptive privacy practices — including having no Privacy Policy at all.
- App store rejection: Both Apple App Store and Google Play require Privacy Policies for apps that collect personal data.
- Payment processor requirements: Stripe, PayPal, and most payment processors require a visible Privacy Policy.
⚠ Important: You don't need to suffer a data breach to face consequences. Simply failing to have an adequate Privacy Policy can trigger regulatory action or cause you to lose payment processing access.
The bottom line
If your US website collects any personal data — and virtually all of them do — you need a Privacy Policy. The good news is that generating a personalised, CCPA-compliant Privacy Policy doesn't need to cost hundreds of dollars in legal fees. DataShark generates a custom document based on your specific business, data types, and processors in under 3 minutes.
Ready to generate your GDPR policy?
Answer a few questions about your business and get a personalised, legally-structured document in minutes.
Start free — from £29 →