A missing privacy policy is not just an oversight — it is a legal violation under GDPR Article 13 (disclosure at point of collection), CCPA §1798.100 (right to know), and NIST 800-53 rev5 PT-1 (Privacy Policies, Agreements, and Processing). FedRAMP rev5 PT-1 requires agencies and their cloud providers to maintain and publish privacy notices. Users have no way to exercise data access, correction, or deletion rights without a published policy describing those rights. Regulators in California and the EU routinely issue fines for absent or incomplete policies even when no breach has occurred.
Low as a code-level severity because the absence of a privacy policy does not create a technical exploit path, but the legal and regulatory exposure is material and enforcement is routine.
Publish a privacy policy at /privacy and link it from the footer on every page. At minimum cover the six sections required by GDPR Art. 13 and CCPA §1798.100.
# Privacy Policy
## What We Collect
- Account data: email, name, role
- Usage data: pages visited, actions performed, audit submissions
- Technical data: IP address (hashed), browser type, timestamps
## How We Use It
To operate the service, improve reliability, and comply with legal obligations.
## Who We Share It With
Subprocessors only (list them: Supabase, Vercel, Stripe) — no sale of data.
## Your Rights
Access, correction, deletion, and portability requests: privacy@yourcompany.com
## Retention
Account data retained while active; deleted within 30 days of account closure.
Audit logs retained 90 days.
## Contact
privacy@yourcompany.com
Have counsel review the final policy. Add a <link rel="privacy-policy" href="/privacy"> tag to your root layout's <head> for machine-discoverability.
ID: gov-fisma-fedramp.documentation-readiness.privacy-policy-published
Severity: low
What to look for: Look for a privacy policy page in the public site (usually /privacy or linked from footer). Count the number of required sections present: data collected, data usage, data sharing, user rights (access, deletion, portability), retention period, and contact information. Check whether it's complete and up-to-date.
Pass criteria: A privacy policy is published and publicly accessible. It describes at least 4 of the following sections: what data is collected, how it's used, who it's shared with, user rights (access, deletion, portability), retention periods, and contact information for privacy inquiries.
Fail criteria: No privacy policy found, or it covers fewer than 4 required sections.
Skip (N/A) when: Never — privacy policy is legally required for most projects handling user data.
Detail on fail: "No privacy policy page found. Footer does not link to /privacy."
Cross-reference: For incident response and security reporting procedures that complement the privacy policy, see the incident-response-plan check in this category.
Remediation: Create a privacy policy page:
# Privacy Policy
## Data Collection
We collect the following information:
- Account information: email, name, role
- Usage data: actions performed, audit logs
- Technical data: IP address, browser information
## Data Usage
- To provide and improve our service
- To comply with legal obligations
- To monitor security and prevent abuse
## Data Retention
- Active user data is retained while your account is active
- Audit logs are retained for 90 days
- Deleted accounts' data is permanently deleted after 30 days
## Your Rights
- Access: Request a copy of your data
- Correction: Update your information
- Deletion: Request permanent deletion
- Portability: Export your data
To exercise these rights, contact privacy@company.com