Privacy Policy Analysis

✅ Legally Required (or Strongly Recommended to Avoid Fines)

1. California (CCPA/CPRA):

• A section for California resident rights

• Right to opt-out of "sale or sharing" of personal data

• "Do Not Sell or Share My Info" link if applicable

• Disclosure of:
• Categories of data collected
• Categories shared/sold
• Retention periods (or criteria)
• Rights to access, delete, correct data
• Whether you use sensitive personal info (email content, biometric, etc.)

Even small U.S. companies fall under CPRA if they:

• Process data of 100,000+ individuals OR

• Have $25M+ in annual revenue OR

• Derive 50%+ revenue from selling/sharing personal info

2. European Union (GDPR):

• Legal basis for processing (e.g. consent, contract)

• Contact for exercising rights

• Data transfer details (e.g., to U.S. + SCCs)

• Right to lodge a complaint with an EU authority

• Retention periods (even approximate ones)

• Clear cookie consent, not just notice

GDPR applies if you target EU users (e.g., by language, shipping, services, marketing)

🟨 Recommended (Helps Avoid Confusion, Build Trust, or Reduce Risk)

• Cookie policy separated from privacy policy

• List of subprocessors (or offer one upon request)

• Clarified children’s data compliance by jurisdiction (U.S.: under 13, EU: under 16)

• Explain AI or profiling practices, if applicable

🟥 Risk If Ignored

• Regulatory fines (up to €20M under GDPR, $7,500 per violation under CPRA)

• Private rights of action (e.g., for data breaches in California)

• Enterprise deal blockers (EU or CA companies may refuse to sign up)