Publish privacy policy

Description

A privacy policy is the public-facing notice that captures the substantive transparency obligations of every modern privacy regime in a single document. The structural failure mode that produces most of the bad privacy policies in circulation is that the document is written for the lawyers who reviewed it rather than for the readers who are supposed to engage with it. Both audiences have to be served, and the tension between them is what makes the document harder to write well than its length suggests. The information sets converge across regimes. GDPR Articles 13 and 14 specify what has to be disclosed when personal data is collected from the data subject and when it is collected from a third-party source, respectively; the two lists are similar but not identical, and the cleanest privacy policies handle both pathways in parallel sections rather than collapsing them. CCPA's required disclosures at Civil Code 1798.130(a)(5) and the corresponding state-statute disclosures across Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Delaware, New Jersey, Maryland, and the rest of the active US state privacy laws each carry their own variants of the same disclosure obligations, with the no-sale-no-share disclosure and the right-to-opt-out-of-sensitive-personal-information disclosure being the most consistently distinctive US-side requirements. LGPD Article 9 in Brazil, DPDPA in India, PIPA in Korea, PIPEDA Principle 8 in Canada, the Australian Privacy Act, and the Mexican LFPDPPP each carry analogous obligations. The convergent information set covers: what categories of personal data are collected; the purposes of processing for each category; the lawful basis under each purpose where the regime requires a basis disclosure; the retention period or the criteria used to set it; the third parties with whom the data is shared (sub-processors, advertising partners, professional advisors, law-enforcement disclosures where the operator's policy carves out a path); the cross-border transfer mechanisms relied upon; the data-subject rights and the channel for exercising them; and the contact information for the controller and for the DPO or other designated representative where one is required. The text has to be both legally sufficient and accessible. Plain language, organized by topic rather than by statute, with headings and structure that let a reader find what they care about without reading the whole thing. The GDPR's Article 12(1) language requirement ("concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child") is the most explicit version of the accessibility obligation, but the substance appears in most other regimes too. The tension that produces bad policies is that legal review optimizes for completeness, which pulls the document toward longer paragraphs with more conditionals and more cross-references; drift produces a 12,000-word document that the average reader cannot navigate, and that the regulators read as a transparency failure even when every individual disclosure obligation is technically satisfied. The practical decomposition is four pieces. The content drafting captures the disclosure obligations across the operator's footprint, with the regime-specific carve-outs handled in parallel sections rather than collapsed into a global narrative. The legal review verifies that each substantive disclosure is accurate and complete. The accessibility review reads the document as a user would and flags the places where the language has drifted into terms-of-art that the average reader cannot engage with. And the publication-and-archive layer publishes the current version at a stable URL, retains previous versions with effective-date metadata so a user can determine what was disclosed at the time their data was collected, and surfaces a clear change-log that summarizes what changed in each revision. The piece that consistently surprises operators is the change-management discipline. The policy has to be re-published when material processing changes, and the previous versions have to remain accessible. The CCPA-specific 12-month update cadence under Civil Code 1798.130(a)(5) imposes a floor below which the policy cannot be stale; substantive processing changes require update sooner. The archival obligation also matters in litigation: a class-action complaint or a regulatory inquiry into past data practices runs against the version of the policy that was in force at the time of the conduct, not against the current version, and an operator that has overwritten its policy without retaining the historical versions has lost the document it needs to defend itself.

Required by (27 regulations)

• CCPA/CPRA

  CCPA §1798.130(a)(5) — privacy policy disclosures, 12-month update cadence.

  Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

• CPA

  Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3

• CTDPA

  Conn. Gen. Stat. §§42-515 to 42-525

• COPPA

  § 312.4 — direct notice + online notice covering data collection from children.

  15 U.S.C. §§6501-6506; 16 CFR Part 312

• DE PDPA

  Del. Code Ann. tit. 6, ch. 12D

• DPDPA

  Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023

• GDPR

  Articles 12-14 — transparency and information obligations.

  Regulation (EU) 2016/679 of the European Parliament and of the Council

• IT Rules 2021

  Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, issued under the Information Technology Act, 2000 (Act No. 21 of 2000), as amended by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2023

• Indiana CDPA
• Iowa CDPA
• LGPD

  Article 9 — right to access information about processing.

  Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

• MODPA

  Md. Code Ann., Com. Law §§14-4601 to 14-4616

• LFPDPPP (superseded)
• MCDPA

  Mont. Code Ann. §§30-14-2801 to 30-14-2817

• NJDPA

  N.J. Stat. Ann. §§56:8-166 to 56:8-188

• OCPA

  Or. Rev. Stat. §§646A.570 to 646A.604

• PIPA

  Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

• PIPEDA

  Principle 8 — openness about policies and practices.

  S.C. 2000, c. 5 (Personal Information Protection and Electronic Documents Act)

• Privacy Act

  Privacy Act 1988 (Cth), No. 119 of 1988

• Tennessee IPA
• UCPA

  Utah Code §§13-61-101 to 13-61-404

• VCDPA

  Va. Code §§59.1-575 to 59.1-585

• Texas CUBI

  Documents the notice CUBI requires before capturing a biometric identifier for a commercial purpose.

  Capture or Use of Biometric Identifier Act (CUBI)

  Source →

• Washington Biometric Privacy

  Provides the contextual notice that is one of RCW 19.375's three compliance paths (notice, consent, or opt-out) before enrolling a biometric identifier.

  Washington Biometric Identifiers Act (HB 1493, 2017)

  Source →

• Washington MHMDA

  Supports the standalone consumer-health-data privacy policy MHMDA requires, distinct from the general privacy policy.

  Washington My Health My Data Act (HB 1155, 2023)

  Source →

• Chile Law 19.628

  Chile's data-protection regime requires transparency about how personal data is processed.

  Ley N° 19.628 sobre Protección de la Vida Privada (1999); to be substantially superseded by Ley N° 21.719 (2024) effective 2026-12-01

  Source →

• UK GDPR

  UK GDPR Articles 13-14 require a published privacy notice describing processing.

Fulfilled by (3)

• In-house build · low effort · $
• onetrust · partial · low effort · $$
  Generates a tailored draft from a questionnaire; legal review still required.
• termly · partial · low effort · $

Magist does not accept payment from vendors. Methodology.

Evidence formats

• privacy policy URL
• archive snapshots
• change log