How to Write a Privacy Notice That Meets GDPR Requirements
If you’re collecting personal data, whether through a signup form, cookie banner, or checkout page, GDPR requires you to disclose what you’re doing with it before or at the point of collection, using a privacy notice. Confusing this with your general privacy policy, or missing one of the mandatory disclosure elements, is one of the most common triggers for regulator scrutiny, even when the underlying data practices are compliant.
This guide covers exactly what a GDPR-compliant privacy notice must include, where it needs to appear, and the mistakes that most often get flagged.
What is a GDPR privacy notice?
A GDPR privacy notice is the specific, point-of-collection disclosure that tells someone what data you’re collecting, why, and what you’ll do with it. GDPR Article 12 requires this information to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and Articles 13 and 14 set out exactly what it must contain.
Privacy notice vs. privacy policy
GDPR itself doesn’t actually use the terms “privacy notice” or “privacy policy” legally; they’re interchangeable. However, most organizations use “privacy notice” for the specific disclosure shown at the moment of data collection, like a signup form, or a cookie banner, and “privacy policy” for the longer, standalone document covering the organization’s overall data practices. Your privacy notice is often just a summary of, or link to, the fuller privacy policy — but the notice is what GDPR actually requires you to surface at the point of collection.
What does GDPR require in a privacy notice?
Articles 13 and 14 set the mandatory content, depending on how you collected the data. Basically, the law splits the content requirement by data source. Article 13 applies when you collect data directly from the individual, like through a signup form or an account registration, while Article 14 applies when you obtain data about someone from another source, like a third-party list, a data broker, or a public database. The two overlap heavily but aren’t identical.
Article 13 – data collected directly from the individual
When you collect data directly from the data subjects, the notice must include:
- Your identity and contact details (and your DPO’s, if you have one);
- The purpose of processing and its legal basis;
- Your legitimate interests, if that’s the basis you’re relying on;
- Who receives the data;
- Details of any international transfers and the safeguards used;
- How long you retain the data, or the criteria for deciding;
- The individual’s rights, including the right to withdraw consent and to complain to a supervisory authority;
- Whether providing the data is mandatory and what happens if they don’t;
- And whether you use automated decision-making or profiling.
Article 14 – data obtained from another source
When data comes from somewhere other than the individual, you need everything Article 13 requires, plus two additions: the categories of personal data involved, and where the data came from, including whether it was sourced from publicly accessible records. Timing differs too, as you must provide this notice within a reasonable period after obtaining the data (no later than one month), or at the time you first contact the individual, or before you share the data with another recipient — whichever comes first.
How that content must be presented
GDPR also covers how the notices must be presented, set under Article 12. Basically, even if every Article 13 or 14 element is technically present, a notice that fails Article 12’s presentation standard is still non-compliant.
Under Article 12, the information must be concise, transparent, intelligible, and easily accessible, in clear and plain language – with a stricter standard when the notice is aimed at children. It must be provided in writing or electronically, free of charge, and orally on request once identity is verified. In practice, regulators favour a layered format: a short summary up front, with full detail available a click away, rather than one dense block of legal text.
When do you need to provide a privacy notice?
Timing depends on where the data came from, and it’s stricter than most people expect.
If you collect data directly from the individual (Article 13), the notice must be provided at the time of collection. So, if someone fills out a form, the notice needs to be visible at that point, not retrofitted later.
If you obtain data from another source (Article 14), you have until whichever of these comes first — a reasonable period after obtaining the data (capped at one month), the point you first contact the individual, or before you share the data with anyone else.
One more trigger applies regardless of source: if you start using data for a new purpose beyond what you originally disclosed, you must notify the individual before that new processing begins — not after you’ve already started. In some cases, you will find that a company adds a new use case (say, using signup data for a new marketing channel) without updating the notice first. This is where many notices go stale.
How do you write a privacy notice step by step?
Article 12 and Articles 13/14 pull in opposite directions — one demands full legal detail, the other demands plain, accessible language. A layered notice resolves this: a short summary up front, full detail immediately below or linked. The steps below build both layers in the right order, so nothing gets missed.
Step 1 — Map your processing activities
List every point where you collect personal data: signup forms, checkout, cookies, support tickets, third-party integrations, newsletter signups. You can’t disclose a processing activity you haven’t identified, so this list is the foundation on which everything else builds.
Step 2 — Determine the legal basis for each activity
For each activity on your list, decide which Article 6 basis applies: consent, contract, legal obligation, vital interests, public task, or legitimate interests. This choice has to be made per purpose, not once for your whole notice, especially since things like sending marketing emails and processing payments will usually rest on different bases.
Step 3 — Set retention periods or criteria
For each activity, define how long you keep the data. If you can’t commit to a fixed period, state the criteria you use instead — for example, “until account closure plus 90 days for backup purge.” A vague “as long as necessary” without criteria doesn’t satisfy Article 13(2)(a).
Step 4 — Identify recipients and check for international transfers
List the actual third parties who receive or process the data. From your email provider to analytics tool, payment processor, or CRM, having a list of them all is better than a generic “service providers” line. For each one, check where the data is stored or processed; if any recipient sits outside the EU/UK, identify the transfer safeguard in place, such as adequacy decision, standard contractual clauses, or another approved mechanism.
Step 5 — Draft the summary layer
Write a short, plain-language summary covering what you collect, why, and how someone exercises their rights. This is the layer most readers actually see, so it needs to stand alone without requiring a click-through.
Step 6 — Draft the full-detail layer
Below or linked from the summary, write out the complete disclosure. This can include the legal basis per purpose, retention criteria, named or categorized recipients, transfer safeguards, and rights information, including the actual mechanism for exercising those rights (an email address or form) and the name of the relevant supervisory authority.
Step 7 — Match language to your audience
If your service is aimed at children, calibrate the language specifically for that audience, not adult legal language simplified slightly. For a general audience, the standard is “an average person reading it once,” not a lawyer.
Step 8 — Publish at every collection point
A complete notice does nothing sitting on one page if it isn’t visible where data is actually collected. Link or display it at every signup form, checkout page, cookie banner, and contact form — not just in a footer link to a general privacy policy.
Step 9 — Set a review trigger for updates
A notice goes stale the moment you add a new tool, vendor, or use case. Assign an owner and a concrete trigger — for example, “any new processor or data use requires a notice review before launch” — rather than a passive annual review note that nobody actually acts on.
What are the most common privacy notice mistakes under GDPR?
1. Publishing a generic template without adapting it
This is the mistake almost everyone starts with, because writing a privacy notice from scratch feels intimidating, and a template promises to skip the hard part. The problem is that a template is built to describe any business in general terms, which means, by design, it avoids saying anything specific. It ends up covering broad categories, such as data collected, purposes, and rights, without ever naming what your business specifically does with a customer’s information. A visitor reading it learns almost nothing about how your site actually works.
The deeper issue is that regulators don’t evaluate whether a privacy notice exists as a document — they evaluate whether it reflects reality. If your notice says data may be used for the operation and improvement of services, but doesn’t mention that you’re running email marketing, using a live chat tool that logs conversations, or sharing purchase data with a fulfillment partner, the notice isn’t wrong so much as incomplete in a way that matters. The gap only becomes obvious when someone actually compares what the notice says against what’s happening behind the scenes, which is usually the moment a complaint or an audit happens — not before.
2. Describing data sharing in vague terms instead of naming the actual tools
Most small businesses run on a stack of third-party tools without thinking of them as “data sharing” — Mailchimp for email, Google Analytics for traffic, Stripe or PayPal for payments, maybe a CRM like HubSpot for leads. Each of these receives personal data the moment a customer interacts with your site, but because using them feels routine, business owners rarely think to name them individually in the privacy notice. Instead, the notice says something broad about sharing data with service providers or partners as needed, which sounds compliant but tells the reader nothing real.
This is crucial because GDPR’s transparency requirement isn’t satisfied by acknowledging that sharing happens somewhere — it’s about the individual actually understanding where their data goes. A customer has no way to know their email address sits on Mailchimp’s servers, or that their browsing behavior is being logged by Google Analytics, unless the notice says so. When this gap gets flagged, it’s usually not because sharing data with these tools is itself a problem — most of it is perfectly legitimate — it’s because the notice never told anyone it was happening.
3. Letting the notice go stale as the business changes
A privacy notice is almost always written once, usually around the time a site launches, and then left alone. But businesses don’t stay still — you add a live chat widget, connect a new email platform, start running Facebook or Google ads with a tracking pixel, or bring on a new fulfillment partner who now has access to customer addresses. Each of these is a new use of personal data, and each one technically requires the privacy notice to be updated to reflect it. In practice, almost none of them trigger a review of the notice at all.
The result is a notice that was accurate on the day it was published and increasingly inaccurate every month afterwards, without anyone noticing because nothing forces the mismatch to the surface. It only becomes a visible problem when someone reads the notice closely and finds that it describes a version of the business that no longer exists. By then, the fix isn’t just updating a paragraph, you will still have to explain why the notice was wrong for however long the gap existed.
4. Skipping a real retention period
Retention is one of the required elements that almost everyone gets wrong, mostly because it requires a decision that the business has never actually made. Writing “we keep your data for as long as necessary” feels safe because it sounds cautious and legally minded, but it doesn’t actually tell anyone anything — it’s not a retention period, it’s the absence of one. GDPR requires either a specific timeframe or, if that’s not possible, the actual criteria used to decide how long data is kept.
The reason this gets skipped so often is that most small businesses have never sat down and decided how long they hold onto customer records after, say, an account is closed or an order is completed. There’s no internal policy to draw from, so the notice ends up with a placeholder instead of a real answer. Fixing this requires an actual internal decision first on how long do you genuinely need this data, and why, before the notice can say anything meaningful.
5. Listing rights with no real way to exercise them
Almost every privacy notice includes the standard list of rights — access, correction, deletion, objection, portability — because it’s easy to copy that list from GDPR itself or from a template. What’s far less common is a working mechanism behind that list. If a customer wants to actually exercise one of those rights, does the notice tell them exactly where to send that request? Is there a real inbox that gets checked, a form that goes somewhere, an actual person responsible for responding?
Without that, the rights section becomes decorative — technically present, legally referenced, but functionally useless to the person reading it. This tends to surface at the worst possible time: when someone actually tries to exercise a right, gets no response or a confused one, and escalates to a complaint. At that point, the absence of a working process is far more damaging than if the rights section had simply been shorter but backed by something real.
6. Disconnecting the cookie banner from the privacy notice
Most small business websites end up with two separate systems handling privacy: a cookie consent banner, usually added through a plugin with minimal customization, and a privacy notice, usually written or generated separately. Because these are built at different times, often by different people, they frequently don’t agree with each other. The cookie banner might mention analytics and advertising cookies, while the privacy notice describes a completely different or incomplete picture of what’s being tracked.
This inconsistency is easy to miss internally, because most business owners never read their own cookie banner and privacy notice side by side. But a visitor who clicks through from the cookie popup into the full privacy notice, expecting one coherent explanation, notices immediately when the story doesn’t match. That mismatch is a small thing individually, but it’s exactly the kind of inconsistency that undermines trust in the rest of the notice, and it’s a pattern regulators recognize as a sign the privacy program wasn’t built with much coordination.
7. Treating every use of an email address as covered by one justification
It’s easy to think of a customer’s email address as a single piece of data with one purpose, but GDPR treats each use of it separately, and each use needs its own legal basis. Sending an order confirmation is necessary to fulfill a contract — that’s straightforward. Adding that same customer to a marketing newsletter is a completely different activity, and in most cases requires their separate consent, not just the fact that they once made a purchase.
A lot of privacy notices blur this distinction, describing “communications” as one broad category without separating transactional messages from marketing ones. The gap usually stays invisible until a customer receives a marketing email they never agreed to, and complains, at which point the business has to explain why it assumed one justification covered both uses. This is one of the more common triggers for individual complaints, specifically, because it’s something an ordinary customer notices and reacts to directly, without needing to understand GDPR at all.
Why this should be a priority right now
The EDPB is actively auditing privacy notices across 25 DPAs through 2026
In October 2025, the European Data Protection Board announced that its 2026 coordinated enforcement action would focus specifically on transparency and information obligations — the exact rules that govern privacy notices, covering Articles 12 through 14 of GDPR. Twenty-five data protection authorities across Europe are taking part, examining how organizations actually inform people about their data, not just whether a privacy notice technically exists somewhere on their site. Participating authorities will reach out to controllers across different sectors with questionnaires asking them to explain how they meet these transparency requirements, and the findings will be pooled together later in the year to shape further enforcement and guidance.
This isn’t a one-off report or a piece of guidance sitting in a drawer — it’s active, coordinated fact-finding happening across the EU and EEA over the course of 2026, following the same pattern as previous coordinated actions on cookie banners and data subject access requests, both of which led to real investigations and fines once the findings came in.
What the coordinated sweep mean if you haven’t reviewed your notice
If your privacy notice hasn’t been touched since you first published it, this is the moment that gap becomes riskier than it used to be. A coordinated action means authorities aren’t just responding to individual complaints anymore — they’re proactively comparing notices against actual practices across many organizations at once, which tends to surface exactly the kind of drift covered in the mistakes section above: tools that were added without updating the notice, vague sharing language, retention sections that were never really filled in.
You don’t need to panic about this, and a small site is unlikely to be first in line for a formal investigation. But it’s a good, concrete reason to actually sit down and review your notice now rather than treating it as something you’ll get to eventually — because “eventually” is exactly the gap regulators are currently looking for.
Bottom line
If you take one thing from this guide, let it be this: a privacy notice isn’t a document you write once and forget. It’s a living reflection of what your business actually does with people’s data, and it needs to be revisited every time that changes. Map your processing activities honestly, name the tools you actually use, set real retention periods, and give people an actual way to exercise their rights. None of this requires a legal team or a big budget — it requires sitting down, being specific, and keeping the notice in sync with your business as it grows. With the EDPB’s coordinated action already underway, now is a genuinely good time to do that review rather than put it off.