GDPR Art. 13 and Art. 14 require controllers to provide data subjects with specific information at the point of collection, including retention periods, third-party recipients, legal basis for each processing purpose, and a description of user rights. CCPA §1798.100 and LGPD Art. 9 impose equivalent disclosure obligations for US and Brazilian users respectively. An incomplete or missing privacy policy is not a minor oversight — it is a standalone regulatory violation independent of any breach. Regulators in the EU, UK, and California treat absent or skeletal policies as evidence of systemic non-compliance, which increases penalties. ISO-27001:2022 A.5.34 requires that privacy notice obligations be documented and fulfilled.
High because an absent or incomplete privacy policy is itself a regulatory violation under GDPR Art. 13, independent of any actual data misuse, and undermines user trust across the entire product.
Draft a policy that covers all seven required sections. A privacy policy generator (Iubenda, Termly) can scaffold the structure — customize it to match your actual data flows. Add a footer link to it on every page.
Required sections your policy must include:
1. Data collected — email, name, payment info, usage events, cookies
2. Purpose for each — contract/service delivery, analytics, marketing
3. Retention periods — account data: until deletion; analytics: 26 months; logs: 90 days
4. Third-party recipients — Stripe (payments), SendGrid (email), GA4 (analytics); include DPA links
5. User rights — access, deletion, correction, portability, opt-out of marketing
6. Legal basis — contract for service delivery; consent for newsletters; legitimate interest for fraud
7. Privacy contact — privacy@example.com or a web form
Link the policy in your root layout's footer so it appears on every page without authentication. Update within 30 days whenever you add a new third-party service or change a data handling practice.
ID: data-protection.data-collection-consent.privacy-policy-complete
Severity: high
What to look for: Enumerate every relevant item. Find the privacy policy page or document (typically at /privacy, /privacy-policy, or linked in the footer). Work through a checklist of required elements: (1) types of data collected, (2) purpose for each data type, (3) retention periods per data type, (4) list of third-party recipients with their roles (Stripe for payments, SendGrid for email, Google Analytics for analytics), (5) user rights section (access, deletion, correction, portability), (6) legal basis for processing under GDPR (consent, contract, legitimate interest, legal obligation), (7) data protection officer or privacy contact email, (8) how to submit a data subject request. Check whether the policy is linked from every page (typically in the footer) and whether it is accessible without authentication.
Pass criteria: At least 1 of the following conditions is met. Privacy policy exists, is accessible without login, is linked from all pages (footer), and covers all required elements: data types, purposes, retention, third parties, user rights, legal basis, and a privacy contact.
Fail criteria: No privacy policy exists. Policy exists but is not linked from all pages. Policy omits required elements such as retention periods, third-party services list, or user rights.
Skip (N/A) when: The application collects no personal data of any kind (purely public static site with no forms, no analytics, no auth).
Detail on fail: Specify what is missing. Example: "Privacy policy exists but does not list third-party services (Stripe, SendGrid, Google Analytics). Retention periods not specified. No user rights section." or "No privacy policy found — only a Terms of Service page that mentions data collection briefly.".
Remediation: Use a privacy policy generator (Iubenda, Termly, PrivacyPolicies.com) as a starting point and customize it for your data flows. At minimum, your policy must address:
Required sections:
1. What data we collect (email, name, payment info, usage data, cookies)
2. Why we collect it (contract/service delivery, analytics, marketing)
3. How long we keep it (account data: until deletion; analytics: 26 months; logs: 90 days)
4. Who we share it with (Stripe – payment processing; SendGrid – transactional email;
Google Analytics – analytics; list their DPA links)
5. Your rights (access your data, delete your account, correct information,
data portability, opt out of marketing)
6. Legal basis (contract for account/service; consent for marketing; legitimate interest
for fraud prevention)
7. How to contact us about privacy (privacy@example.com or a web form)
Add a link to the privacy policy in every page footer. Update the policy within 30 days whenever you add a new third-party service or change data handling.