How to Use This Privacy Policy & Privacy Statement Generator

Creating your privacy policy or privacy statement is simple and takes under 2 minutes:

1. Complete the 6-step questionnaire – Answer questions about your business, what data you collect, and where you operate. Only relevant questions will be shown based on your previous answers. You can use the “Previous” button to go back and correct any mistakes.
2. Review the generated policy – Your custom privacy policy will be generated instantly and displayed on the right side of the screen.
3. Download or copy – Download your privacy policy or privacy statement as HTML or plain text, or copy it to your clipboard.
4. Edit if needed – Use the “Edit & Regenerate” button to modify your answers and create an updated version.
5. Consult an attorney – Have a qualified attorney review the policy to ensure it meets your specific legal obligations.
6. Implement on your site – Once reviewed, add the policy to your website, app, or platform.

Your progress is automatically saved in your browser, so you can return to complete the questionnaire at any time. Use the “Start Over” button if you want to generate a policy for a different business.

Understanding Privacy Policies vs Privacy Statements

The terms “privacy policy” and “privacy statement” are often used interchangeably and generally serve the same purpose: to inform users about how an organization collects, uses, stores, and protects personal information. Both documents are legally required in many jurisdictions and must comply with applicable privacy laws such as GDPR, CCPA, PIPEDA, and LGPD.

This generator creates comprehensive privacy documentation that meets the requirements of major privacy regulations worldwide, regardless of whether you call it a privacy policy or privacy statement.

Understanding Privacy Laws

Privacy laws vary significantly by jurisdiction, and compliance requirements depend on where your users are located and what types of data you collect. This generator helps you create policies that address requirements from major privacy regulations worldwide.

General Data Protection Regulation (GDPR) – 2025 Updates

The GDPR continues to apply to organizations processing personal data of individuals in the European Union. While core GDPR text remains unchanged, 2025 brought significant new guidance and requirements:

• Article 48 Guidelines (Effective June 5, 2025): Mandatory disclosure of how organizations respond to third-country government data requests, including procedures for international agreements and exceptional circumstances
• Pseudonymisation Guidelines (January 2025): Organizations must disclose pseudonymisation techniques and safeguards in privacy policies
• Digital Services Act Interplay (September 2025): Enhanced requirements for platforms regarding recommender systems, advertising practices, and prohibition on using sensitive data for ads
• Enforcement Reforms: New 15-month maximum investigation timeframes for most cases
• Record-Keeping Proposal: Potential increase of Article 30(5) exemption threshold from 250 to 750 employees (pending adoption)
• Transparency: Clear information about data processing activities must be provided at the time of collection
• Legal basis: Processing must be based on one of six lawful bases defined in Article 6
• Data subject rights: Eight rights under Articles 15-22
• International transfers: Chapter V requires appropriate safeguards, including SCCs

UK Adequacy Extended: The European Commission extended UK adequacy until December 27, 2031 (draft proposal, highly likely to be adopted).

UK Data (Use and Access) Act 2025

The UK Data (Use and Access) Act 2025 received Royal Assent on June 19, 2025, implementing the UK’s most substantial post-Brexit privacy divergence:

• Recognised Legitimate Interests (RLI): New framework allowing reliance on specified legitimate interests without balancing assessments for: direct marketing, network security, fraud prevention, and intra-group transfers
• Purpose Limitation Reforms: More flexible approach to compatible purposes
• Automated Decision-Making: Modified safeguards and notification requirements
• Complaints Handling (Effective June 2026): Mandatory procedures including electronic submission, 30-day acknowledgment, and timely responses
• Enhanced Security Measures: Risk-based approach to organizational security
• Children’s Code Alignment: Integration with Age Appropriate Design Code requirements

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – 2025 ADMT Rules

The CCPA, enhanced by the CPRA effective January 1, 2023, grants California residents specific privacy rights. According to California Civil Code Section 1798.100-1798.199, businesses must:

• Disclosure requirements: Section 1798.110 requires disclosure of categories and specific pieces of personal information collected, sources of collection, business purposes, and third-party sharing
• Consumer rights: Sections 1798.105, 1798.106, 1798.110, 1798.115, and 1798.120 grant rights to know, delete, correct, opt-out of sales/sharing, and limit use of sensitive personal information
• Do Not Sell or Share: Section 1798.135 requires a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” on the homepage
• Response requirements: Section 1798.130 mandates businesses respond to verifiable consumer requests within 45 days, extendable by an additional 45 days
• Non-discrimination: Section 1798.125 prohibits discriminating against consumers who exercise their CCPA rights

Personal Information Protection and Electronic Documents Act (PIPEDA) – Quebec Law 25

PIPEDA governs how private sector organizations in Canada collect, use, and disclose personal information. Quebec’s Law 25 reached full implementation in 2025 with enhanced requirements:

• Quebec Law 25 (Full Implementation 2025): Stricter consent requirements, mandatory breach notification, data portability rights, and de-indexing rights
• Enhanced Transparency: Organizations must provide clear information about data processing purposes and retention periods
• Accountability: Organizations must designate an individual accountable for compliance
• Consent: Meaningful consent required, with ability to withdraw
• Cross-border transfers: Must inform individuals about foreign government access risks
• Access rights: Individuals can request access and challenge accuracy
• Response time: 30 days for access requests
• Privacy Impact Assessments: Required for high-risk processing

Lei Geral de Proteção de Dados (LGPD) – 2025 Updates

Brazil’s LGPD (Law No. 13,709/2018) received significant updates in 2025:

• Local Representative Requirement (2025): Foreign organizations processing Brazilian data must appoint a local representative (legal entity or individual resident in Brazil)
• ANPD Standard Contractual Clauses (Effective August 23, 2025): Mandatory for international data transfers with plain-language summaries published on websites
• 15-Day SCC Access: Organizations must provide SCCs within 15 days upon request
• Data Protection Officer: Article 41 requires DPO appointment for all organizations processing Brazilian data
• Data subject rights: Nine rights including confirmation, access, correction, anonymization, deletion, portability
• Response time: 15 days for data subject requests (fastest globally)
• ANPD Enforcement: Increased enforcement activity with penalties up to R$50 million (approximately $10M USD)
• 2025-2026 Regulatory Agenda: New regulations expected on DPIAs, children’s data, biometrics, security standards, and AI guidelines

US State Privacy Laws – 2025 Wave

Eight new US state privacy laws took effect in 2025, bringing comprehensive privacy rights to millions more Americans:

Delaware Personal Data Privacy Act (DPDPA) – Effective January 1, 2025

• Applies to businesses with $25M revenue + 100k/35k consumers
• Comprehensive consumer rights including access, deletion, correction, and portability
• Opt-out rights for targeted advertising and sales
• GPC support required by January 1, 2026

Iowa Consumer Data Protection Act (ICDPA) – Effective January 1, 2025

• Applies to businesses with $40M revenue + 100k/25k consumers
• 90-day response period (longest in US)
• 60-day cure period for violations

Nebraska Data Privacy Act (NDPA) – Effective January 1, 2025

• Applies to businesses with $25M revenue + 100k/25k consumers
• GPC support required immediately
• Universal opt-out mechanism required

New Hampshire Privacy Act (NHPA) – Effective January 1, 2025

• Applies to businesses with $35M revenue + 100k/25k consumers
• GPC support required immediately
• Strongest enforcement among new 2025 laws

New Jersey Data Privacy Act (NJDPA) – Effective January 15, 2025

• Applies to businesses with $35M revenue + 100k/25k consumers
• Unique: Does NOT exclude employee or B2B data (most comprehensive scope)
• GPC support required by July 15, 2025
• Covers nonprofits and educational institutions

Tennessee Information Protection Act (TIPA) – Effective July 1, 2025

• Highest applicability threshold: $25M revenue + 175k/25k consumers
• Most restrictive – targets only large businesses
• No universal opt-out mechanism currently required
• 60-day cure period

Minnesota Consumer Data Privacy Act (MCDPA) – Effective July 31, 2025

• Applies to businesses with $30M revenue + 100k/25k consumers
• Unique profiling rights: Right to question and reevaluate automated decisions
• Right to obtain list of specific third parties
• Must maintain detailed data inventory
• Extended deadline for post-secondary institutions (July 31, 2029)

Maryland Online Data Privacy Act (MOPDA) – Effective October 1, 2025

• Strictest data minimization standard in US: Can only collect what is “reasonably necessary and proportionate”
• Applies to businesses with revenue thresholds of only $35k/10k (lower than other states)
• Cannot process sensitive data except when “strictly necessary”
• Prohibits targeted advertising to anyone under 18
• Prohibits selling sensitive data
• Requires assessment for EACH algorithm used
• Six-month grace period (processing from April 1, 2026 forward)

Children’s Online Privacy Protection Act (COPPA) – 2025 Amendments

The U.S. Federal Trade Commission enforces COPPA (15 U.S.C. §§ 6501-6506) which was significantly updated in 2025 (effective April 22, 2026) with enhanced protections for children under 13:

• Separate third-party consent: Operators must obtain separate consent before disclosing children’s information to third parties
• Enhanced direct notices: Age-appropriate explanations must be provided directly to children
• Expanded personal information definition: Now includes biometric identifiers, geolocation, and other new categories
• Written security program: Mandatory written children’s data security program required
• Data retention policy: Operators must establish and follow data retention policies
• Vendor due diligence: Enhanced requirements for vetting third-party service providers
• Verifiable parental consent: Operators must obtain verifiable parental consent before collecting personal information from children
• Parental rights: Parents have enhanced rights to review, delete, and control their child’s information

2025 Privacy Law Overview

Critical Updates: 2025 marks the most significant year for global privacy regulation since GDPR’s implementation. Eight major frameworks introduced substantive changes requiring immediate updates to privacy policies, including California’s automated decision-making rules, Quebec’s full Law 25 implementation, Brazil’s local representative requirements, and eight new US state laws.

Key Deadlines: Most critical deadlines fall between December 2025 and August 2026, with penalties now reaching $50 million in multiple jurisdictions. GDPR fines totaled €1.2 billion in 2024, California secured its first $1.35 million enforcement, and Australia issued its inaugural $5.8 million Privacy Act penalty.

Jurisdiction-Specific Compliance Guides

Frequently Asked Questions