What Happens If You Don't Have a Privacy Policy?

Google's advertising and Analytics terms require a posted privacy policy that discloses your use of their tools and cookies, Meta imposes the same condition, and both the Apple App Store and Google Play refuse to publish an app without a privacy policy URL and will remove a live app that lacks one. Payment processors carry equivalent terms, so platform enforcement reaches most businesses long before a regulator does. Operate without a policy and you are in breach of the agreements that keep your store, your app, your ad campaigns, and your checkout running, and those partners can suspend you without the process a court would require.

A privacy policy is the document through which a business discloses what data it collects, why, who receives it, and how a customer exercises their rights. Once you collect personal information from someone in a jurisdiction that requires disclosure, that policy becomes mandatory, and a contact form, an email signup, an analytics pixel, or a checkout field is enough to trigger the duty.

California has required a conspicuously posted policy for years, and the CCPA adds specific disclosure duties on top. As of January 1, 2025, California penalties run to $2,663 for each violation and $7,988 for each intentional violation or one involving a consumer under 16. The statute sets no cap on the total, so the figure climbs with the number of violations. Because each affected consumer can count as a separate violation, a modest customer list turns a per-violation figure into a six or seven-figure total quickly. The GDPR reaches you the moment you offer goods or services to people in the EU or monitor their behavior there, with fines up to 20 million euros or 4 percent of annual global turnover, whichever is higher. Colorado, Connecticut, Virginia, Texas, and a growing list of states each add their own notice rules, so one website serving a national audience can violate a dozen statutes at once.

Sephora paid $1.2 million under the CCPA for failing to disclose data sales and offer an opt-out. California's Attorney General later reached a $1.4 million settlement with the mobile game maker Jam City after finding it failed to provide compliant opt-out mechanisms across 21 apps and shared the data of children aged 13 to 16 without the required consent. Regulators examine whether the disclosures exist, whether they match what the business does, and whether the rights mechanisms work, so a business with no policy fails the first question before the analysis starts and hands the regulator the cleanest possible case. The cure period that once softened a first violation is no longer guaranteed, because the enforcement agency now has discretion over whether to grant one.

Government fines are one channel. Litigation is another, and for many businesses that's the bigger risk. Several privacy statutes carry a private right of action, and the most active area today involves website tracking, where plaintiffs' firms bring claims under wiretapping statutes recast for analytics pixels, session-replay scripts, and advertising tags. A privacy policy supplies the disclosure-and-consent defense to those claims, so a business without one becomes the easier target. These suits settle in volume rather than producing single headline verdicts, which is what makes them dangerous, because the defense costs on even a weak claim can dwarf the price of the policy that would have prevented it.

Pulling a policy off another website and pasting it in solves nothing and creates a fresh liability. A borrowed policy claims practices you don't have, omits the ones you do, and promises retention limits and rights handling your operation can't deliver, which converts a disclosure failure into a false statement about your own practices. A policy works only when it matches the tools, vendors, data flows, and customer touchpoints the business operates.