Most mid-market eCommerce brands already publish a privacy policy. Many of those documents were last comprehensively updated when teams first reacted to GDPR and the original CCPA — often 2019–2020. In 2026, that legacy language frequently omits disclosures now expected under:
- CPRA amendments and evolving California Privacy Protection Agency (CPPA) expectations
- Additional US state privacy laws beyond California [VERIFY: current count of comprehensive state privacy laws]
- California Invasion of Privacy Act (CIPA)-relevant disclosures tied to real-time tracking technologies
- Updated enforcement risk from automated compliance testing (including notice alignment with actual tag behavior)
A policy that looked “complete” half a decade ago can be materially out of date today — and mismatches between notices and practices are exactly what regulators and plaintiffs’ counsel look for.
This checklist is scoped for mid-market US eCommerce brands that may also have EU/UK visitors. Work through it section by section against your live policy and your actual stack.
Which laws require a privacy policy for your store?
GDPR applies when you process personal data of individuals in the EU/EEA, regardless of where the business is located. Shipping to the EU or operating a site accessible to EU users typically requires GDPR-aligned disclosures and legal bases.
UK GDPR applies to UK residents’ data as a parallel regime post-Brexit.
CCPA/CPRA applies to for-profit entities doing business in California that meet one of the statutory thresholds (revenue, volume of consumers’ personal information, or revenue from “sale”/sharing as defined).
CIPA is not threshold-dependent in the same way as CCPA: if you operate a site that deploys tracking technologies implicated by California litigation trends, notice and consent practices matter even for smaller brands.
Other US state laws (Virginia, Colorado, Connecticut, Texas, and others) often require a privacy notice and grant consumer rights. A CPRA-centered policy frequently covers many overlapping requirements — but do not assume without a deliberate mapping for your footprint.
Practical rule: If you sell in the US and have EU visitors, most brands need a policy that credibly addresses GDPR, CCPA/CPRA, and CIPA-aligned tracking disclosures at minimum.
Section-by-section privacy policy checklist
What information you collect
- Categories of personal information collected (names, emails, order history, browsing behavior, device identifiers, IP addresses, approximate location)
- Sources: directly from the customer, automatically via cookies/SDKs, and from third parties (platforms, partners, enrichment vendors)
- Whether you collect sensitive personal information as defined under CPRA (and analogous concepts under other laws), with any additional notices required
- CIPA-related disclosure: if you deploy analytics pixels, advertising SDKs, or session replay, disclose that third-party tools may capture interaction signals and, where applicable, real-time behavioral data — not only “we collected in the past” language
How you use the information
- Business purposes: fulfillment, fraud prevention, customer support, security, legal compliance
- Commercial purposes: marketing, advertising, analytics, product improvement
- For GDPR: identify legal bases (consent, contract, legitimate interests, legal obligation) tied to purposes — not a single blanket statement
- Whether you use personal data for profiling or automated decision-making that produces legal or similarly significant effects (disclose at a level appropriate to your actual use)
Who you share data with
- Categories of recipients: analytics providers, advertising platforms, payment processors, shipping carriers, ESP/CRM, support tools
- Whether you “sell” or “share” personal information under CPRA definitions — including sharing to ad platforms for cross-context behavioral advertising where applicable
- Whether you use data brokers or enrichment vendors
- GDPR: reference Data Processing Agreements with processors where required
Consumer rights
- Rights to know/access, delete, correct, and portability where applicable
- CPRA: opt-out of sale/sharing, limit sensitive information use where applicable, non-discrimination
- Clear instructions to exercise rights (webform and/or email), including authorized agent handling where you accept it
- Response timelines: GDPR 30-day baseline (extensions where permitted), CPRA 45-day baseline (extensions where permitted)
- A visible “Do Not Sell or Share My Personal Information” link path where required
Cookies and tracking technologies
- Cookie/SDK categories: strictly necessary, functional, analytics, advertising
- Name major technologies where feasible: GA4, Meta Pixel, TikTok Pixel, session replay tools — generic “we may use analytics cookies” language ages poorly under regulatory scrutiny
- Link to a cookie policy or preference center
- Explain how to opt out: preference center, browser controls, and industry opt-outs where used
- CIPA-specific: if tools may capture interaction content or transmit behavioral signals to third parties in real time, say so clearly — not only after-the-fact summaries
Internal resource: why CIPA requires specific disclosures about third-party tracking tools.
Data retention
- Retention periods by category or clear criteria
- GDPR alignment: no longer than necessary for the purpose
- CPRA: retention disclosures and justification expectations
International transfers
- Whether data leaves the EU/EEA/UK
- Transfer mechanisms: SCCs, UK IDTA/addendum, adequacy, DPF where applicable [VERIFY current transfer mechanisms for your vendors]
- UK-specific disclosures where UK data is processed in the US
Policy updates
- Last updated date (actually maintained)
- How material changes are communicated
- Effective date of the current version
Contact information
- Controller identity and contact methods
- EU/UK representative if required
- DPO contact if applicable
- A monitored privacy inbox (e.g.,
privacy@)
The CIPA gap: what most policies miss
Many templates never mention CIPA or real-time interception theories. Three disclosure gaps show up repeatedly in enforcement-adjacent risk:
1. Session replay
If you use Hotjar, FullStory, Clarity, or similar tools, disclose that sessions may be recorded — including interactions that reveal usage patterns — and tie that disclosure to your consent approach.
2. Third-party SDKs and pixels
Name the categories of tools that transmit data to advertising platforms. “We use advertising partners” is weaker than identifying the class of technology and its behavior.
3. Present-tense accuracy
If the site transmits signals while the user interacts, describe that reality in present tense. Past-tense-only descriptions can create a notice–practice mismatch when logs show real-time transmission.
Internal resource: CIPA vs. CCPA — what your California compliance actually requires.
How often to update your privacy policy
- At least annually: review new state laws, new vendors, new data uses
- When you add tracking tools: new pixels, CDPs, chatbots, or session replay often require new specificity
- After incidents: breach notifications may require separate notices; policies may need alignment
- When regulators publish guidance: CPPA materials can change operational expectations for notices and links
Treat the policy as a living document — not a launch artifact.
Internal resource: California SB 690 and what it means for your current CIPA compliance posture.
Conclusion
A privacy policy is not boilerplate — it is the front page of your accountability story. For eCommerce, the highest-leverage updates usually combine accurate tool identification, rights pathways that work, and tracking disclosures that match technical reality.
For a broader GDPR program view, see PieEye’s GDPR compliance guide for eCommerce.
This checklist is for informational purposes and does not constitute legal advice. Privacy policy requirements vary by jurisdiction and business model — consult qualified legal counsel for your specific situation.