Templates Compliance Regulatory Privacy Policy - US Baseline
Universal
Compliance Regulatory
Blank Document PRO
From Template
Upload Document Word (.docx) & Markdown files
PRO
Privacy Policy - US Baseline
Ready to Edit
Privacy Policy - US Baseline - Free Editor

[COMPANY NAME] WEBSITE PRIVACY POLICY

U.S. Baseline Policy with State-Specific Addenda

[// GUIDANCE: Insert Company Logo or Letterhead Above, if desired]

TABLE OF CONTENTS

I. Document Header
II. Definitions
III. Operative Provisions (Information Practices)
IV. Representations & Warranties
V. Covenants & Restrictions
VI. Default & Remedies
VII. Risk Allocation
VIII. Dispute Resolution
IX. General Provisions
X. Execution Block
XI. State-Specific Addenda
    A. California (CCPA/CPRA) Addendum
    B. Virginia (VCDPA) Addendum
    C. Colorado (CPA) Addendum
    D. Connecticut (CTDPA) Addendum
    E. Utah (UCPA) Addendum

I. DOCUMENT HEADER

  1. Title; Parties.
    This Website Privacy Policy (“Policy”) is issued by [COMPANY NAME], a [STATE] [entity type] (“Company,” “we,” “our,” or “us”), and governs the Personal Information of any natural person who accesses or uses Company-owned websites, mobile applications, or online services (collectively, “Services”). “You” or “User” means an individual who interacts with the Services.

  2. Recitals.
    WHEREAS, Company collects, uses, and discloses Personal Information in the ordinary course of providing its Services; and
    WHEREAS, Company desires to set forth its privacy practices in a legally enforceable policy that complies with applicable U.S. federal and state privacy laws;
    NOW, THEREFORE, Company hereby adopts this Policy effective as of [EFFECTIVE DATE] (the “Effective Date”).

  3. Jurisdiction Specification.
    Unless otherwise stated in a State-Specific Addendum, this Policy is governed by the laws of the State of [CHOICE-OF-LAW STATE], without regard to its conflict-of-laws rules.

II. DEFINITIONS

[// GUIDANCE: Edit or supplement definitions to reflect Company-specific data practices.]

“Aggregate Data” – Data that has been de-identified and combined with data from other sources such that it can no longer reasonably identify, relate to, describe, reference, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer or household.

“Business Purpose” – The use of Personal Information that is reasonably necessary and proportionate to achieve an operational purpose of the Company, such as account management, security, or compliance, as further detailed in Section III.

“Controller” – A person or entity that, alone or jointly, determines the purposes and means of processing Personal Information (synonymous with “business” under the California Consumer Privacy Act, as amended).

“Personal Information” – Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular consumer or household.

“Process,” “Processing,” or “Processed” – Any operation performed on Personal Information, whether automated or manual, including collection, use, storage, disclosure, analysis, deletion, or modification.

“Sensitive Personal Information” – Personal Information that reveals a consumer’s precise geolocation, Social Security, driver’s license, state identification card, or passport number; racial or ethnic origin; religious or philosophical beliefs; union membership; genetic data; biometric information; or information concerning mental or physical health.

“Service Provider” / “Processor” – A third party that Processes Personal Information on behalf of Company pursuant to a written contract that restricts the Processing to specified Business Purposes.

III. OPERATIVE PROVISIONS (INFORMATION PRACTICES)

  1. Categories of Personal Information Collected.
    a. Identifiers (e.g., name, postal address, email address);
    b. Commercial information (e.g., transaction history);
    c. Internet or network activity (e.g., IP address, log data);
    d. Geolocation data;
    e. Professional or employment-related information;
    f. [ADD others, if applicable].

  2. Sources of Personal Information.
    a. Directly from Users (e.g., registration forms);
    b. Automatically from the Services (e.g., cookies, pixels);
    c. Third-party data brokers or partners;
    d. Publicly available sources.

  3. Purposes for Collection & Use.
    a. Provide and maintain the Services;
    b. Perform customer service and account management;
    c. Personalize User experience and deliver targeted content;
    d. Conduct analytics, research, and product development;
    e. Detect, prevent, and address security incidents or fraud;
    f. Comply with legal obligations, including 15 U.S.C. § 45 and 15 U.S.C. §§ 6501–6506 (Children’s Online Privacy Protection Act);
    g. [ADD additional purposes].

  4. Disclosures to Third Parties.
    a. Service Providers/Processors under written contracts;
    b. Affiliates for internal Business Purposes;
    c. Government authorities or law enforcement pursuant to legal process;
    d. Successors in interest in connection with a merger, acquisition, or asset sale;
    e. Other third parties with User consent.

  5. Retention.
    Company retains Personal Information only for as long as reasonably necessary to fulfill the purposes outlined in this Policy or as required by law, whichever is longer.

  6. Cookies & Tracking Technologies.
    We use first- and third-party cookies, pixel tags, local storage, and similar technologies for functionality, analytics, and advertising. Users may modify browser settings to decline cookies; however, certain features of the Services may not function properly.

  7. Do-Not-Track (DNT).
    The Services do not respond to DNT signals because no uniform technological standard has been adopted.

  8. Children’s Data.
    The Services are not directed to children under 13, and Company does not knowingly collect Personal Information from children under 13 without verifiable parental consent in compliance with 15 U.S.C. §§ 6501–6506.

  9. International Transfers.
    Personal Information may be transferred to, and Processed in, countries outside the User’s jurisdiction. Company uses Standard Contractual Clauses or other lawful mechanisms where required.

  10. Notice of Material Changes.
    Company will provide prominent notice of any material changes to this Policy at least [30] days prior to the Effective Date of the revised Policy.

IV. REPRESENTATIONS & WARRANTIES

  1. Company represents and warrants that:
    a. It has implemented and maintains commercially reasonable administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction;
    b. It will Process Personal Information solely for the Business Purposes stated herein and in compliance with applicable law;
    c. Any Service Provider/Processor engaged by Company is bound by written contract to substantially similar privacy and security obligations.

  2. EXCEPT AS EXPRESSLY SET FORTH ABOVE, THE SERVICES ARE PROVIDED “AS IS,” AND COMPANY DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

  3. Survival.
    The warranties set forth in this Section IV shall survive for so long as Company retains the related Personal Information.

V. COVENANTS & RESTRICTIONS

  1. Company Covenants.
    a. To maintain a designated privacy officer;
    b. To conduct periodic risk assessments and audits;
    c. To maintain a written incident response plan.

  2. User Restrictions.
    a. Users shall not submit Personal Information of any third party without lawful basis or authorization;
    b. Users shall not use the Services to Process Sensitive Personal Information unless explicitly requested by Company.

  3. Notice & Cure.
    In the event of a claimed breach of this Policy by either party, the claiming party shall provide written notice specifying the nature of the breach, and the responding party shall have [30] days to cure.

VI. DEFAULT & REMEDIES

  1. Events of Default.
    a. Material breach of any covenant, representation, or warranty herein;
    b. Unauthorized disclosure of Personal Information contrary to this Policy;
    c. Failure to comply with an applicable Data Subject Request (“DSR”) within statutory time frames.

  2. Graduated Remedies.
    a. Suspension of Services;
    b. Injunctive or equitable relief without requirement to post bond;
    c. Statutory damages and any other relief available under applicable law.

  3. Attorneys’ Fees.
    The prevailing party in any action or proceeding arising under this Policy shall be entitled to recover reasonable attorneys’ fees and costs.

VII. RISK ALLOCATION

  1. Indemnification.
    Company shall indemnify, defend, and hold harmless Users from and against any third-party claims arising out of Company’s material violation of this Policy or applicable privacy law (“Privacy Claim”), except to the extent such Privacy Claim results from User’s own misconduct, negligence, or violation of this Policy.

  2. Limitation of Liability.
    EXCEPT FOR (i) WILLFUL MISCONDUCT, (ii) GROSS NEGLIGENCE, OR (iii) LIABILITY THAT CANNOT BE LIMITED UNDER APPLICABLE LAW, THE AGGREGATE LIABILITY OF COMPANY TO ANY USER FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THIS POLICY SHALL NOT EXCEED THE GREATER OF:
    a. USD $100; OR
    b. THE MINIMUM STATUTORY DAMAGES THRESHOLD SPECIFIED BY THE JURISDICTION GOVERNING THE CLAIM.

  3. Force Majeure.
    Company shall not be liable for any delay or failure to perform resulting from causes outside its reasonable control, including acts of God, war, terrorism, labor disputes, or governmental regulations.

VIII. DISPUTE RESOLUTION

  1. Governing Law.
    This Policy and any dispute arising hereunder shall be governed by the laws of the State of [CHOICE-OF-LAW STATE].

  2. Forum Selection.
    The parties irrevocably consent to the exclusive jurisdiction of the state and federal courts located in [COUNTY, STATE] for any action not subject to arbitration.

  3. Arbitration (Optional).
    [CHECK ONE]
    ☐ Arbitration Not Applicable
    ☐ All disputes shall be finally settled by binding arbitration administered by [AAA/JAMS] under its [Commercial/Consumer] Rules. The place of arbitration shall be [CITY, STATE]. Judgment on the award may be entered in any court of competent jurisdiction.

  4. Jury Trial Waiver (Optional).
    TO THE EXTENT PERMITTED BY LAW, EACH PARTY WAIVES ITS RIGHT TO A TRIAL BY JURY IN ANY ACTION OR PROCEEDING ARISING OUT OF THIS POLICY.

  5. Injunctive Relief.
    Nothing in this Section shall restrict either party’s right to seek interim, emergency, or permanent injunctive relief in a court of competent jurisdiction.

IX. GENERAL PROVISIONS

  1. Amendment & Waiver.
    Company may amend this Policy as provided in Section III.10. No waiver of any provision shall be effective unless in writing and signed by an authorized representative of Company.

  2. Assignment.
    User may not assign or delegate any rights or obligations under this Policy without Company’s prior written consent.

  3. Successors & Assigns.
    This Policy shall bind and inure to the benefit of the parties and their respective successors and permitted assigns.

  4. Severability.
    If any provision is held unenforceable, such provision shall be modified to the minimum extent necessary to render it enforceable, and the remaining provisions shall remain in full force and effect.

  5. Entire Agreement.
    This Policy, including State-Specific Addenda, constitutes the entire agreement between the parties with respect to the subject matter herein, and supersedes any prior or contemporaneous understandings.

  6. Electronic Signatures.
    An electronic signature or manifestation of assent (e.g., clicking “I Agree”) shall have the same legal effect as a handwritten signature.

X. EXECUTION BLOCK

[// GUIDANCE: A Privacy Policy is typically posted rather than formally executed; however, many organizations include an internal execution page for corporate governance or audit purposes. Delete if unnecessary.]

Executed as of the Effective Date.

COMPANY: [COMPANY NAME]
By: _______
Name: [AUTHORIZED SIGNATORY]
Title: [TITLE]
Date: [DATE]

XI. STATE-SPECIFIC ADDENDA

[// GUIDANCE: Provide the following Addenda to satisfy state privacy statutes. Addenda incorporate by reference and prevail over conflicting baseline terms for residents of the identified state.]

A. CALIFORNIA CONSUMER PRIVACY ACT (CCPA/CPRA) ADDENDUM

  1. Additional Definitions.
    “Sale” and “Sharing” have the meanings set forth in Cal. Civ. Code §§ 1798.140(ad), (ah).

  2. California Consumer Rights.
    California residents have the right to:
    a. Know what Personal Information we collect, use, disclose, and sell/share;
    b. Delete Personal Information we hold;
    c. Correct inaccurate Personal Information;
    d. Opt-out of Sale or Sharing of Personal Information;
    e. Limit the use of Sensitive Personal Information;
    f. Not receive discriminatory treatment for exercising these rights.

  3. Submission of Requests.
    a. Toll-Free Phone: [TOLL-FREE NUMBER]
    b. Webform: [URL]
    c. Email: [PRIVACY EMAIL]

  4. Verification & Response.
    Requests will be verified via [two-factor method] and responded to within 45 days (90 days if extended).

  5. Notice of Financial Incentives.
    [DESCRIBE any loyalty or incentive program, if applicable, or insert “N/A.”]

B. VIRGINIA CONSUMER DATA PROTECTION ACT (VCDPA) ADDENDUM

  1. Virginia Residents’ Rights.
    a. Confirm whether we Process Personal Data;
    b. Access and obtain a copy of Personal Data;
    c. Correct inaccuracies;
    d. Delete Personal Data;
    e. Data portability;
    f. Opt-out of targeted advertising, sale, or profiling.

  2. Appeals.
    If we deny a request, you may appeal via [EMAIL/APPEAL LINK] within 45 days. Unresolved appeals may be escalated to the Virginia Attorney General.

C. COLORADO PRIVACY ACT (CPA) ADDENDUM

  1. Colorado Consumer Rights.
    Same as VCDPA plus the right to opt-out through the Universal Opt-Out Mechanism (effective July 1, 2024).

  2. Data Protection Assessment.
    Company conducts documented Data Protection Assessments for high-risk Processing.

D. CONNECTICUT DATA PRIVACY ACT (CTDPA) ADDENDUM

  1. Connecticut Consumer Rights.
    Align with VCDPA rights and opt-out mechanisms.

  2. Dark Patterns.
    Company shall not obtain consent through dark patterns as defined by CTDPA.

E. UTAH CONSUMER PRIVACY ACT (UCPA) ADDENDUM

  1. Utah Consumer Rights.
    Access, deletion, data portability, and opt-out of sale or targeted advertising.

  2. Monetary Thresholds.
    Company confirms it meets the statutory thresholds for UCPA applicability; otherwise, this Addendum is provided voluntarily.

[// GUIDANCE: Insert additional state or municipal addenda as new statutes take effect (e.g., Florida Digital Bill of Rights, Texas Data Privacy and Security Act).]

© [YEAR] [COMPANY NAME]. All rights reserved.

AI Legal Assistant

Welcome to Privacy Policy - US Baseline

You're viewing a professional legal template that you can edit directly in your browser.

What's included:

  • Professional legal document formatting
  • universal jurisdiction-specific content
  • Editable text with legal guidance
  • Free DOCX download

Upgrade to AI Editor for:

  • 🤖 Real-time AI legal assistance
  • 🔍 Intelligent document review
  • ⏰ Unlimited editing time
  • 📄 PDF exports
  • 💾 Auto-save & cloud sync