Home » Small Business Legal Guide » Privacy Policy Requirements

Privacy Policy Requirements for Online Stores

Every online store that collects personal information from visitors needs a privacy policy, and every online store collects personal information. Your checkout form captures names and addresses, your analytics tools capture IP addresses and browsing behavior, and your marketing tools capture email addresses and purchase history. Federal and state laws require you to disclose what you collect, why, and who gets access to it, and the penalties for getting it wrong range from $2,500 per violation under the CCPA to 20 million euros under the GDPR.

Who Needs a Privacy Policy

If your website has a contact form, a checkout page, an email signup, Google Analytics, a Facebook Pixel, cookies of any kind, or a customer account system, you need a privacy policy. That covers every commercial website in existence. There is no "too small" exception. A one-product store on Shopify with ten visitors a day has the same legal obligation as Amazon to disclose its data practices.

California's CalOPPA (California Online Privacy Protection Act) was the first law in the United States to require commercial websites to post a privacy policy. Because CalOPPA applies to any website that collects data from California residents, and any website accessible in California collects data from California residents, CalOPPA effectively requires every U.S. commercial website to have a privacy policy. Failure to comply within 30 days of notification can result in fines of $2,500 per violation, with each visitor who views your site without access to a privacy policy counting as a separate violation.

Beyond CalOPPA, the CCPA/CPRA, GDPR, and over a dozen state privacy laws layer additional requirements onto your privacy policy depending on where your customers live, what data you collect, and how large your business is. Your privacy policy needs to satisfy all applicable laws simultaneously, which means building it around the strictest requirements and adding jurisdiction-specific sections where needed.

Data You Collect (and Probably Do Not Realize)

Most store owners know they collect names, email addresses, shipping addresses, and payment information through their checkout process. The data collection that catches people off guard comes from the third-party tools embedded in their website. Each tool has its own data collection footprint, and your privacy policy must account for all of them.

Google Analytics collects IP addresses, browser type, operating system, screen resolution, pages viewed, time on page, referral source, and geographic location. Facebook Pixel tracks page views, add-to-cart events, purchases, and ties all of this activity to the visitor's Facebook profile. Hotjar and similar heatmap tools record mouse movements, clicks, scrolls, and in some cases full session recordings that capture everything the user types into form fields. Klaviyo, Mailchimp, and other email platforms track email opens, clicks, and browsing behavior on your site after a user clicks an email link. Shopify, WooCommerce, and other platforms collect their own analytics data in addition to whatever third-party tools you install.

Before writing your privacy policy, audit every tool, plugin, and service that operates on your website. Log in to each platform and review what data it collects, where that data is stored, who it is shared with, and how long it is retained. This audit is the foundation of an accurate privacy policy. If your policy says "we do not share data with third parties" but your Facebook Pixel sends customer browsing data to Meta every time someone visits your site, your policy is inaccurate and exposes you to enforcement action.

Required Disclosures for U.S. Privacy Laws

At minimum, your privacy policy must disclose the categories of personal information you collect (identifiers, commercial information, internet activity, geolocation, etc.), the sources of that information (directly from the consumer, automatically through cookies, from third parties), the business purpose for collecting each category, the categories of third parties with whom you share personal information, and the consumer rights available under applicable law.

The CCPA/CPRA adds specific requirements for businesses meeting its thresholds: a description of each category of personal information collected in the preceding 12 months, the categories of sources, the business or commercial purpose for collecting, the categories of third parties to whom data was disclosed, and whether you sell or share personal information (and if so, a "Do Not Sell or Share My Personal Information" link). You must also describe the consumer rights to know, delete, correct, and opt out, along with instructions for exercising those rights.

State laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and others add requirements such as the right to opt out of targeted advertising, the right to opt out of profiling that produces legal effects, and the right to appeal a denial of a data rights request. While each law has slightly different requirements, structuring your privacy policy around the CCPA's framework and adding state-specific rights sections covers most bases.

GDPR Requirements for EU Customers

If any EU or UK residents visit your website, GDPR compliance adds substantial requirements to your privacy policy. You must identify the legal basis for each type of data processing (consent, contract performance, legitimate interest, or legal obligation). You must name your data controller (your business) and provide contact information. If you transfer data outside the EU, you must describe the transfer mechanisms and safeguards. You must describe the data subject rights including access, rectification, erasure, restriction, portability, and the right to object. And you must identify your data protection officer if you are required to have one.

GDPR also requires you to describe your data retention periods for each category of data, explain how you handle data breach notifications (72-hour notification to authorities), and provide information about automated decision-making if applicable. For most small ecommerce businesses, the GDPR requirements can be addressed in a dedicated section of your privacy policy covering EU-specific rights and processes.

How to Structure Your Privacy Policy

Organize your privacy policy around the information categories and questions that readers and regulators care about. A clear structure makes the policy easier for customers to read and easier for regulators to audit. Use these sections as your framework.

Information We Collect. Break this into information you collect directly (checkout forms, account registration, contact forms) and information collected automatically (cookies, analytics, device information). For each category, explain what specific data points are collected and why.

How We Use Your Information. List every purpose for which you use personal data: order fulfillment, payment processing, customer communication, marketing emails, website analytics, fraud prevention, legal compliance, and product improvement. Each purpose should be specific and honest. "Improving our services" is too vague. "Analyzing browsing patterns to improve product recommendations" is specific enough.

How We Share Your Information. Name the categories of third parties that receive your customer data: payment processors (Stripe, PayPal), shipping carriers (USPS, UPS, FedEx), email marketing platforms (Klaviyo, Mailchimp), analytics providers (Google), advertising platforms (Meta, Google Ads), and customer service tools (Zendesk, Gorgias). For each category, explain what data is shared and why. If you do not sell personal information, state that explicitly.

Cookies and Tracking Technologies. Describe what cookies your site sets, including both first-party cookies (session, cart, login) and third-party cookies (Google Analytics, Facebook Pixel, advertising networks). Explain how users can manage cookie preferences, and if you serve EU visitors, describe your cookie consent mechanism. Link to your cookie consent tool if you use one.

Data Retention. Specify how long you retain each category of data. Order data might be retained for seven years for tax compliance. Marketing email addresses might be retained until the subscriber unsubscribes. Analytics data might be retained for 26 months (Google Analytics' default). Account data might be retained until the customer deletes their account. Vague statements like "we retain data as long as necessary" do not satisfy GDPR requirements.

Your Rights. List the rights available to consumers under each applicable law: the right to know what data you have, the right to request deletion, the right to opt out of data sales or sharing, the right to correct inaccurate data, and the right to non-discrimination for exercising these rights. Provide clear instructions for exercising each right, including an email address, a web form, or a toll-free number.

Security. Describe the security measures you use to protect customer data, such as SSL/TLS encryption, PCI DSS compliance for payment processing, access controls, and regular security audits. Do not overstate your security posture, but provide enough detail to demonstrate that you take data protection seriously.

Children's Privacy. If your site is not directed at children under 13, state that you do not knowingly collect personal information from children. If a parent or guardian believes their child has provided information, provide instructions for requesting deletion. This addresses COPPA (Children's Online Privacy Protection Act) requirements.

Changes to This Policy. Explain how you will notify customers of material changes. Best practice is to update the "last modified" date at the top of the policy, post a notice on your website, and email registered customers about significant changes.

Common Privacy Policy Mistakes

Using a generic template without customizing it is the most common mistake. A template that lists "we may collect biometric data" when you do not, or omits Facebook Pixel when you use it on every page, is worse than no privacy policy at all because it demonstrates either dishonesty or negligence. Your policy must accurately reflect your actual data practices, not a hypothetical set of practices from a template.

Failing to update the policy when you add new tools or change data practices is another frequent problem. When you install a new analytics tool, switch email marketing platforms, or start running retargeting ads, your privacy policy needs to be updated to reflect those changes. Set a quarterly reminder to review your privacy policy against your current tool stack.

Burying the privacy policy link in a footer that is barely visible fails the "conspicuous posting" requirement. Your privacy policy link should appear in your website footer on every page, at the point of data collection (checkout, email signup, contact form), and in your cookie consent banner if you use one. The link should be labeled "Privacy Policy" not hidden behind creative language.

Claiming you do not share data when you do is the single riskiest mistake. Every third-party tool on your website that receives customer data constitutes sharing. Google Analytics receives browsing data. Your email platform receives email addresses. Your payment processor receives financial data. These are all third-party sharing that must be disclosed. The FTC has brought enforcement actions against businesses that claimed not to share data while using standard marketing and analytics tools that inherently involve data sharing.