A combined GDPR and CCPA baseline policy, generated locally
Most websites and apps are legally required to publish a privacy policy. The UK and EU GDPR require a transparent privacy notice; California’s CCPA/CPRA and Canada’s PIPEDA add their own disclosure and rights obligations. This generator produces a structured policy that covers the core of all of them — what data you collect, why, the lawful basis, who it is shared with, how long you keep it, and the rights users can exercise — from a short guided form, with no sign-up and nothing uploaded.
What the law actually requires
Different regulations overlap significantly but each has its own emphasis:
UK and EU GDPR require a privacy notice that states what personal data you collect, the purpose and lawful basis for each processing activity, who you share it with, how long you retain it, and the individual’s rights. If you transfer data outside the UK or EEA you must also describe the safeguard used (adequacy decision, standard contractual clauses, etc.).
CCPA/CPRA (California) requires disclosure of the categories of personal information collected, the purpose, whether it is sold or shared with third parties for advertising, and the consumer’s rights to know, delete, correct, and opt out of the sale or sharing of their data.
PIPEDA (Canada) requires similar transparency — what information you collect, why, how it is used, and how individuals can access and correct it.
The good news: a well-written GDPR privacy notice satisfies most of what CCPA and PIPEDA require as well, because all three frameworks are built on the same transparency principles.
How it works
Your inputs are mapped onto the standard sections a compliant privacy notice needs:
- Data we collect — only the categories you tick (account details, contact data, usage/analytics, payment, location, etc.).
- Purposes and legal bases — each purpose you select is paired with the GDPR lawful basis you choose (consent, contract, legitimate interests, legal obligation).
- Sharing and processors — the third-party processors you name (hosting, analytics, payment, email) are disclosed.
- Retention — your stated retention period or criteria.
- Your rights — GDPR rights (access, rectification, erasure, portability, objection) and CCPA/CPRA consumer rights (know, delete, opt-out of sale/sharing).
- Contact — your privacy and DPO contacts and the right to complain to a regulator.
Everything is assembled client-side into clean HTML or Markdown.
Choosing the right lawful basis
Under GDPR, every processing activity needs a lawful basis. The most commonly applicable ones for websites and apps are:
- Consent — appropriate for marketing emails, optional analytics, or any processing the user can reasonably decline. Requires an affirmative opt-in and the ability to withdraw at any time.
- Contract — applies when processing is necessary to fulfil a contract with the user (e.g. processing a payment, creating an account they requested).
- Legitimate interests — covers processing that a reasonable person would expect, such as fraud prevention, security logging, or analytics that improve the service, provided the interest is not overridden by the user’s rights.
- Legal obligation — applies when a law requires you to retain or process data (e.g. tax records, anti-money-laundering checks).
Choosing the wrong basis is a common compliance error. “Consent” is often over-selected because it sounds safest, but if processing is genuinely necessary for a contract, legitimate interests is a more accurate and more stable basis — consent can be withdrawn, which creates operational problems if the processing is actually essential.
Tips and notes
Be specific: name your actual processors, give a real retention period, and choose the correct lawful basis for each purpose — vague policies are the most common compliance failure. Keep the policy in sync with your cookie policy and consent banner. If you process special-category data (health, biometrics), run automated decision-making at scale, or sell data, get a professional review — this generator produces a solid baseline, not bespoke legal advice for high-risk processing.